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We prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol in the 
case where the source and detector are under the limited control of an adversary. Our proof applies 
when both the source and the detector have small basis-dependent flaws, as is typical in practical 
implementations of the protocol. We derive a general lower bound on the asymptotic key generation 
rate for weakly basis-dependent eavesdropping attacks, and also estimate the rate in some special 
cases: sources that emit weak coherent states with random phases, detectors with basis-dependent 
efficiency, and misaligned sources and detectors. 



I. INTRODUCTION 

The security of quantum cryptography is founded on 
principles of fundamental physics, rather than assump- 
tions about the resources available to a potential adver- 
sary. In the BB84 quantum key distribution protocol [1] , 
two parties (Alice and Bob) establish a secret key about 
which the eavesdropper (Eve) cannot obtain a significant 
amount of information. Alice sends a key bit to Bob by 
preparing a qubit in one of two conjugate bases and Bob 
measures the qubit in one of the two bases; Eve, who 
does not know the basis chosen by Alice or by Bob, can- 
not collect information about the key without producing 
a detectable disturbance. This protocol, when suitably 
augmented by classical error correction and privacy am- 
plification, is provably secure against any attack by Eve 
allowed by quantum mechanics [2-6]. 

Though security can be proven without imposing any 
restriction on Eve's attack (other than the requirement 
that she has no a priori information about the basis 
used), it is necessary to place conditions on the perfor- 
mance of the source and detector employed in the pro- 
tocol. In the Shor-Preskill proof [5], it is assumed that 
any flaws in the source and detector can be absorbed into 
Eve's basis-independent attack. In the proof by Mayers 
[2], the source is assumed to be perfect, but the detec- 
tor is completely uncharacterized. In the Koashi-Preskill 
proof [6], the detector is perfect, but the source is un- 
characterized, aside from the proviso that it leaks no in- 
formation about the basis choice to Eve. In all of these 
cases, serious faults in the apparatus can be detected in 
the protocol, so that Alice and Bob will reject the key if 
the equipment performs badly. 

But none of these proofs apply when both the source 
and detector have small imperfections that depend on 
the basis used in the protocol, the case relevant to typical 
real-world implementations of quantum key distribution. 



Since the BB84 protocol with perfect sources and detec- 
tors is secure, it is intuitively clear that BB84 should re- 
main secure if the imperfections are "sufficiently small." 
We will sharpen this intuition into a quantitative state- 
ment, by calculating how the rate of generation of private 
key depends on the tolerance to which the equipment is 
characterized. 

The simplest way to analyze the consequences of char- 
acterized imperfections is to absorb the defective perfor- 
mance of the equipment into the eavesdropper's attack. 
Primarily for this reason, we are led to consider the secu- 
rity of the BB84 protocol in a different framework than 
in previous security proofs: the flaws in the source and 
detector may depend on the bases chosen, and further- 
more Eve may know these bases, but her power to exploit 
this knowledge is limited. We will prove security under 
an assumption that limits the basis dependence of Eve's 
attack. 

It is natural to ask whether this assumption can be ver- 
ified by conducting suitable tests on the source and detec- 
tor (perhaps with testing equipment that is also not fully 
trustworthy, as in [7]). For now we put aside the issue of 
testing the equipment, and we will trust that our equip- 
ment performs approximately as expected. However, as 
cautious cryptologists we will assume that, within the 
prescribed limits, the performance of the equipment is 
controlled by Eve and maximally exploited by her to gain 
information about the shared key. 

Our analysis follows the method of Shor and Preskill 
[5], who proved the security of BB84 by relating it to an 
entanglement distillation protocol. Their argument ex- 
ploited a symmetry between the two bases used in the 
protocol, whose consequence is that the entangled pairs 
to be distilled have equal rates of bit errors and phase 
errors. Our task in this paper is to extend the analy- 
sis to the case where the symmetry between the bases is 
broken because the adversary has information about the 
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basis used. Wc will give a general argument showing that 
if the basis-dependence of the attack is sufficiently weak, 
then the gap between the bit error rate and the phase 
error rate is small; this argument allows us to establish 
security against arbitrary attacks that satisfy a particu- 
lar criterion for weak basis dependence, and to derive a 
lower bound on the asymptotic key generation rate. 

To formulate our criterion for the attack to be weakly 
basis dependent, we focus on the coin that is flipped to 
determine the basis — the basis dependence is weak if 
the adversary interacts only weakly with the coin. The 
Shor-Preskill argument shows that, for the purpose of an- 
alyzing the security of BB84, it is convenient to imagine 
that Alice chooses each of her key bits by measuring half 
of an entangled state, and that she delays these measure- 
ments until after Eve has attacked the signals. Likewise, 
for analyzing weakly basis-dependent attacks, we find it 
convenient to imagine that the coin flip that determines 
the basis is realized by measuring a qubit, and that this 
measurement is delayed until after the adversary's attack. 
Then we can quantify the extent of the adversary's inter- 
actions with the coin according to how much the state of 
the coin is disf,urbed. Our general argument shows that 
if the disturbance of the coin is slight, then a secure key 
can be generated at a calculable nonzero rate. 

Aside from presenting this general argument, we will 
also apply our methods to a few specific scenarios in 
which quantum key distribution is executed with imper- 
fect devices. In some of these special cases, we can derive 
tighter lower bounds on the key generation rate than are 
obtained by the general argument. The examples we dis- 
cuss include: 

Tagging. A faulty source may "tag" some of the qubits 
with information, readable by the eavesdropper, 
that reveals the basis used in the preparation. An 
important special case, also recently analyzed by 
Inamori, Liitkenhaus and Mayers [8], is a source 
emitting weak coherent states which with nonnegli- 
gible probability contain multiple photons prepared 
in the same polarization state. An adversary might 
intercept the extra photons and collect information 
about the basis used without causing any distur- 
bance, compromising security. 

Basis- dependent detector efficiency. If the detector 
sometimes misfires, the probability that a qubit 
is successfully detected might depend on the basis 
used. An adversary that can control whether the 
detector fires can use this power to disguise eaves- 
dropping. 

Basis-dependent misalignment in the source or detec- 
tor. The source or detector might not be properly 
aligned to emit or detect a qubit in the desired ba- 
sis. The adversary can exploit her freedom to rotate 
these devices to reduce the disturbance caused by 
her eavesdropping. 



Our results do not subsume, nor are they subsumed 
by, the results of [2,6,8]. Mayers and Koashi-Preskill as- 
sume that the detector or source is uncharacterized, but 
that the adversary is unable to influence the behavior of 
the devices to suit her purposes. We assume that the 
flaws in the devices are limited, but that the adversary 
controls the apparatus within these limits; furthermore, 
our security proof (unlike the Koashi-Preskill proof) ap- 
plies to a source that leaks a small amount of information 
about the choice of basis. And more important, while 
Mayers assumes that the source is perfect, and Koashi 
and Preskill assume that the detector is perfect, our new 
techniques apply when both the source and the detec- 
tor have small basis-dependent imperfections, the generic 
case in practical settings. In addition, while Koashi and 
Preskill assume that the signals emitted by Alice's source 
are uncorrelated with one another (the state describing 
the emission of n signals is a tensor product of n indi- 
vidual signals), and while Mayers likewise assumes that 
the signals are detected individually rather than collec- 
tively by Bob, our results are not inherently subject to 
such limitations. (However, we do assume that the sig- 
nals are emitted and detected individually in many of the 
examples that we analyze.) 

Aspects of the security of quantum key distribution in 
realistic settings have been analyzed previously [9-14]. 
However, our proof of security holds for arbitrary collec- 
tive attacks by the eavesdropper, while individual attacks 
were considered in most previous work. (An important 
exception is the recent study by Inamori, Liitkenhaus and 
Mayers [8] of sources that emit weak coherent states.) Al- 
though our results do not yet constitute a definitive anal- 
ysis of the security of realistic quantum cryptography, we 
expect that the tools we have developed will prove useful 
in further studies. 

Beyond any of our particular results, we have broad- 
ened notably the domain of applicability of the Shor- 
Preskill method for proving security. This method has 
many further applications, and in particular allows one to 

easily analyze the effectiveness of various enhancements 
of the protocol such as two-way postprocessing [15]. 

Our findings are of both practical and conceptual in- 
terest. It is important to address whether practical im- 
plementations of quantum key distribution are truly se- 
cure, and in real-world implementations the apparatus is 
never flawless. And apart from practical concerns, quan- 
tum key distribution provides a fascinating theoretical 
laboratory for quantitatively exploring the unavoidable 
tradeofi' between collecting information about a quantum 
system and disturbing the system. 

We note that the security against arbitrary eavesdrop- 
ping attacks of quantum key distribution performed with 
imperfect devices has also been analyzed by Ben-Or [16]. 

The rest of this paper is organized as follows. In Sec. II, 

we clarify the setting of our analysis by introducing Eve's 
collaborator Fred, who controls the flaws in the source 
and detector. We review the connection between the 
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BB84 protocol and cntanglcmcnt-bascd quantum key dis- 
tribution in Sec. Ill, and reprise the Shor-Preskill argu- 
ment which is the foundation for all that follows. We 
carefully formulate our models for sources and detectors 
in Sec. IV, and point out in Sec. V some ways in which 
these models fail to capture fully the properties of real 
devices. In Sec. VI we introduce the concept of a quan- 
tum coin, which is a useful tool for analyzing the power 
of Fred's basis-dependent attack on the equipment, and 
in Sec. VII we present our security proof for a general 
class of attacks that depend sufficiently weakly on the 
basis. We then proceed to explore various applications 
of this result: In Sec. VIII, we prove security for the case 
where the detector is perfect but the source has small 
generic flaws, and in Sec. IX, we treat the case where 
the detector has small flaws and the source is flawed but 
oblivious; that is, it leaks no information about the ba- 
sis used. Sec. X analyzes the case where the source and 
detector are both slightly misaligned, and in Sec. XI we 
state without proof a result for the case where the both 
the source and detector have small generic flaws (where 
the source is not necessarily oblivious). The case in which 
a fraction of the signals emitted by the source are tagged 
with basis information is dealt with in Sec. XII; this anal- 
ysis is relevant to sources that emit weak coherent states 
with random phases, sources that are close to single pho- 
ton sources, and a scenario where some of the basis and 
key bits are selected by flipping biased coins. Finally, 
in Sec. XIII we discuss the case of a detector with im- 
perfect efficiency that is controlled by the adversary, and 
Sec. XIV contains some concluding comments. 



II. ALICE AND BOB AND EVE AND FRED 

To clarify our assumptions about the source and detec- 
tor imperfections, it is helpful to imagine that two collab- 
orating adversaries arc trying to foil the key distribution 
protocol: Eve and Fred. The goal of Alice and Bob is 
to generate a shared key not known to the Eve/Fred al- 
liance. 

Fred knows the basis chosen by Alice and/or Bob, and 
he can tamper with the source and/or detector, but only 
within certain prescribed limits. Because the basis de- 
pendence of his attack is limited, Fred can acquire only 
limited knowledge of what signal was emitted by the 
source and what outcome was recorded by the detector. 

Eve on the other hand has no a priori knowledge of 
the basis chosen by Alice or by Bob, and she has no di- 
rect control over the source or the detector. But Eve is 
permitted to attack all of the signals sent by Alice to 
Bob collectively in any manner allowed by quantum me- 
chanics. For example, Eve may entangle an ancilla that 
she controls with each signal after the signal is emitted 
by the source and before it is absorbed by the detector. 
Then Eve may delay the measurement of her ancilla until 
after all public discussion by Alice and Bob is concluded, 



choosing her measurement to optimize her information 
about the key. 

While Eve can send to Fred any quantum or classical 
message of her choice, communication from Fred to Eve 
is restricted. Before Eve interacts with the signals, Fred 
may wish to notify her about Alice's basis choice, but 
his only means of conveying this information is through 
his limited ability to control the source. After Bob con- 
firms receipt of the signals, Fred is permitted to share 
further information with Eve by sending it via a classical 
or quantum side channel. Apart from this restriction on 
their communication. Eve and Fred are free to choose a 
common strategy that optimally exploits Fred's limited 
power to manipulate the source and detector. 

Various security proofs apply to settings that can be 
distinguished by describing Fred's role. In the setting 
considered by Mayers and by Koashi and Preskill, Fred 
does not share information with Eve, and the goal of Al- 
ice and Bob is to generate a shared key that Eve does 
not know. Mayers assumes that the source is perfect, 
but Fred is free to choose the measurement performed 
by the detector, which can depend at Fred's discretion 
on Bob's declared basis, and to report to Bob a portion 
of the information collected in the measurement. Koashi 
and Preskill assume that the detector is perfect, but Fred 
is free to choose the states emitted by the source except 
for one proviso: the emitted state, averaged over Alice's 
key bit, is independent of Alice's basis. In the setting 
considered in this paper, Eve again applies an arbitrary 
basis-independent quantum operation to her probe and 
the transmitted signals. And again, Fred, who has infor- 
mation about the declared bases, can influence how the 
equipment operates. But now, the basis dependence of 
Fred's attack is limited, and Fred and Eve can pool their 
knowledge after the signals are detected. 

All of these settings are interesting. In the Mayers 
model, the detector can be arbitrarily flaky, and in the 
Koashi-Preskill model, the source leaks no basis informa- 
tion but is otherwise arbitrary. In the model we consider, 
both the source and detector arc "pretty good" but con- 
trolled (within limits) by the adversary. Our models of 
the source and the detector will be described in more 
detail in Sec. IV. 



III. DISTILLATION AND PRIVACY 

Our analysis follows the method of proof used by Shor 
and Preskill [5], which we will now briefly review. In this 
method, security is flrst established, following [3], for a 
protocol based on an entanglement distillation protocol 
(EDP). Then the security of a "prepare-and- measure" 
protocol, namely BB84, is established through a reduc- 
tion to the EDP protocol. 

We remark that entanglement distillation was first dis- 
cussed in [17], that its relevance to the security of quan- 
tum key distribution was emphasized in [18], and that 
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this connection was established rigorously in [3] . Entan- 
glement distillation protocols have also been called "en- 
tanglement purification protocols," abbreviated EPP. We 
prefer to say "distillation" rather than "purification" as 
"purification" now has another widely accepted meaning 
in quantum information theory. 

In the EDP protocol, Alice creates n + m pairs of 
qubits, each in the state 

|<A+) = -^(|oo) + |ii)) , (1) 

the simultaneous eigenstate with eigenvalue one of the 
two commuting operators X ^ X and Z ® Z, where 

are the Pauli operators. Then she sends half of each pair 
to Bob. Alice and Bob sacrifice m randomly selected 
pairs to test the "error rates" in the X and Z bases by 
measuring X X and Z ® Z. If the error rate is too 
high, they abort the protocol. Otherwise, they conduct 
the EDP, extracting k high-fidelity pairs from the n noisy 
pairs. Finally, Alice and Bob both measure Z on each of 
these pairs, producing a fc-bit shared random key about 
which Eve has negligible information. The protocol is se- 
cure because the EDP removes Eve's entanglement with 
the pairs, leaving her powerless to discern the outcome 
of the measurements by Alice and Bob. 

If the EDP protocol has special properties, then prov- 
ing the security of BB84 can be reduced to proving se- 
curity of the EDP. Shor and Preskill considered EDP's 
with one-way communication [19], which are equivalent 
to quantum error-correcting codes, and furthermore, con- 
sidered the specific class of codes known as Calderbank- 
Shor-Steane (CSS) codes [20,21]. (Gottesman and Lo [15] 
have described how a similar reduction can be applied to 
certain EDP's with two-way communication.) Like any 
quantum error-correcting code, a CSS code can correct 
both bit errors (pairs with Z^Z = —1) and phase errors 
(pairs with X ^ X = —1). But the crucial property of a 
CSS code is that the bit and phase error correction pro- 
cedures can be decoupled — Z errors can be corrected 
without knowing anything about the X errors and vice- 
versa. 

In the EDP protocol, the key is affected by the bit 
error correction but not by the phase error correction. 
The phase error correction is important to expunge en- 
tanglement with Eve and so ensure the privacy of the 
key. But Eve's information about the final key is un- 
affected if Alice and Bob dispense with the phase error 
correction. What is essential is not that the phase error 
correction is actually done, but rather that it would have 
been successful if it had been done. 

With the phase error correction removed, the extrac- 
tion of the final key from the n noisy pairs is much 
simplified. Rather than first carrying out the EDP and 
then measuring Z for each of the k distilled pairs, Alice 



and Bob can instead measure Z for each of the n noisy 
pairs, and then do classical postprocessing of their mea- 
surement results to extract the final key. In this form, 
the entanglement-based protocol becomes equivalent to 
BB84. 

We can see the equivalence more clearly by adding one 
further wrinkle to the entanglement-based protocol. In 
the BB84 protocol, Alice and Bob choose their bases at 
random, so that about half of the sifted key bits are trans- 
mitted in the X basis and about half in the Z basis. But 
in the entanglement-based protocol as we have described 
it, all of the final key bits are generated by measuring in 
the Z basis. To relate the two protocols, suppose that in 
the entanglement-based protocol a subset of the pairs is 
selected at random, and that for each pair in this sub- 
set, Alice and Bob apply the Hadamard transformation 
H : X ■f-^ Z to their qubits before measuring Z. Equiv- 
alently, we can instruct Alice and Bob to measure X 
rather than Z for these selected qubits. Each measure- 
ment by Alice in the entanglement-based protocol pre- 
pares a qubit to be sent to Bob in one of the four BB84 
states: X = ±1,Z = ±1, chosen at random. In BB84, 
Bob measures either X or Z, and through public discus- 
sion Alice and Bob reject the key bits where they used 
different bases; the remaining key, for which their bases 
agree, is called the "sifted key." As far as an eavesdropper 
is concerned, there is no difference between generating a 
bit of sifted key in BB84, where a qubit is prepared by 
Alice in a randomly chosen eigenstate of either X or Z 
and measured by Bob in the same basis, and generating 
a bit of key in the entanglement-based protocol, where 
Alice and Bob both measure their halves of an entangled 
pair of qubits. 

A vestige of the CSS code of the EDP survives as 
a scheme for error correction and privacy amplification 
in this prepare-and-measure protocol. In a CSS code, 
classical linear codes Ci and are used for bit and 
phase error correction respectively, where C2 C Ci . The 
entanglement-based protocol is secure (whether or not 
the phase error correction is done) if, with "high probabil- 
ity" (probability of success exponentially close to unity), 
Ci can correct the bit errors and can correct the 
phase errors. In the BB84 protocol, Ci is used to correct 
bit errors in the key, and C2 to amplify privacy. Specif- 
ically, Alice transmits the random string w through the 
quantum channel, randomly selects a codeword u of Ci, 
and announces u + w. Bob receives the corrupted string 
w + e, computes u + e, and corrects to u. The final key 
is the coset u + C2 of C2 in Ci . 

If this method is used to compute the final key in the 
BB84 protocol, and if the key being distributed is very 
long, at what asymptotic rate can secure final key be 
extracted from the sifted key? The answer is the rate 
fc/n at which high-fidelity pairs can be distilled from 
noisy pairs in the EDP, which depends on how noisy 
the pairs are. The purpose of the verification test in- 
cluded in the protocol is to obtain a reliable estimate 
of the noise. In the EDP, a useful way to characterize 
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the noise is to imagine that, after the final liadaniard 
transformations are applied to the pairs, all n pairs are 
measured in the Bell basis — that is, both Z ^ Z and 
X X are measured. If there were no noise at all, we 
would find Z^Z = X^X = lior every pair. Denote 
by nS the number of pairs for which we have Z (g) Z = —1 
instead; we say that S is the bit error rate of the noisy 
pairs. Denote by nSp the number of pairs for which we 
have X (g) X = — 1; we say that 6p is the phase error rate 
of the pairs. 

For a given state of the n pairs, the rates S and Sp are 
actually random variables, because the quantum mea- 
surement of the pairs is nondeterministic. But suppose 
that from the verification test, we can infer that for suf- 
ficiently large n and any e > 0, the inequalities S < S + s 
and 6p < Sp + e are satisfied with high probability. Fur- 
thermore, we may imagine that the key bits are subjected 
in the protocol to a publicly announced random permu- 
tation (or equivalently that the CSS code is correspond- 
ingly randomized), so that the bit and phase errors are 
randomly distributed among the qubits. It can then be 
shown [22,23] that, for sufficiently large n and any e' > 0, 
there exists a CSS code such that the EDP distills k high- 
fidelity pairs from the n noisy pairs, where 

fc/n > 1 - H2{5 + £ + £')- H2{5p + s + s') , (3) 

and H2{5) = -5log26 - (1 - <5)log2(l - S) is the bi- 
nary entropy function. Therefore, in BB84, we establish 
an asymptotically achievable rate of extraction of secure 
final key from sifted key ("key generation rate"): 

R=l- H2{S) - H2{5p) , (4) 

That is, in the BB84 protocol, a fraction H2{5) of the 
sifted key bits are sacrificed asymptotically to perform 
error correction and a fraction H2{6p) of the sifted key 
bits are sacrificed to perform privacy amplification. 

We note that, although the permutation randomizes 
the positions of both the bit errors and the phase er- 
rors, correlations between bit errors and phase errors 
may remain. However, these correlations do not affect 
the achievable rate, because with CSS codes the bit er- 
ror correction and phase error correction are performed 
separately. We also remark that the code Ci used to cor- 
rect bit errors can be chosen to be efficiently decodable 
[24] . It may not be possible to simultaneously choose the 
code C2 to be efficiently decodable, but this is not im- 
portant, since the phase error correction using C2 is not 
actually carried out in the BB84 protocol — it need only 
be possible in principle. 

Our arguments so far have reduced the problem of 
demonstrating the security of BB84 to inferring suffi- 
ciently stringent upper bounds on both the bit error rate 
and the phase error rate of the pairs used to generate 
the key in the corresponding entanglement-based proto- 
col, based on the results of the verification test. Inferring 
the upper bound on the bit error rate is straightforward. 



Let us consider the version of the entanglement-based 
protocol in which Alice and Bob measure both the test 
pairs and the key generating pairs in the Z basis, but 
a Hadamard transformation is applied to randomly se- 
lected pairs just prior to the measurement. When Eve 
interacts with the qubits traveling from Alice to Bob, 
she has no a priori knowledge concerning which pairs 
will be used for the test and which will be used for key 
generation. Therefore, the test pairs arc a fair sample; 
it follows from classical sampling theory that the joint 
probability of observing nd errors in the test set and more 
than n(S + s) errors in the key set is exponentially small 
for any £ > and n sufficiently large. Note that this 
argument works even if Eve's attack induces strong cor- 
relations among the pairs; all that is required is that the 
sample selected for the test is chosen randomly. 

Inferring an upper bound on the phase error rate re- 
quires an extra step. In the Shor-Preskill argument, it 
is assumed that the adversary has no a priori knowledge 
about the basis that Alice uses to send her signals and 
Bob uses to detect them. In the entanglement-based pro- 
tocol, this becomes the statement that the adversary does 
not know to which pairs the Hadamard transformation 
is applied. But since the Hadamard interchanges the bit 
errors and the phase errors, it enforces a symmetry be- 
tween the two types of errors. Therefore, the error rate 
measured in the test serves as an estimate of the phase 
error rate as well as the bit error rate: with high proba- 
bility the phase error rate of the key generating pairs is 
also less than 6 + s. We conclude that final key can be 
extracted from sifted key at the rate R = 1 — 2H2{6). 

Now we have sketched the complete proof of security of 
BB84, except for one technicality. The sampling theory 
argument actually shows that the joint probability of a 
error rate 6 in the test pairs and an error greater than 
5 + s for the key generating pairs is exponentially small. 
For a security analysis, we should show that the condi- 
tional probability of an error rate for the key generating 
pairs greater than 5 -|- £ is exponentially small, given the 
error rate S found in the test. The desired result follows 
from Bayes's theorem as long as we assume that Eve's 
attack "passes" the verification test with a probability 
that is not itself exponentially small. That is, we exclude 
strategies by Eve such that extraordinary luck is required 
to induce the (small) error rate S found in the test. With 
this caveat in mind, we propose this definition of security: 

Definition. Security of quantum key distribution. 

A quantum key distribution protocol is secure if for any 
attack by Eve that passes the verification test with a prob- 
ability that is not exponentially sm,all, with high probabil- 
ity Alice and Bob agree on a final key that is nearly uni- 
formly distributed and Eve 's information about the final 
key is exponentially small. Here "exponentially small" 
means bounded above by e~^^ where N is the number 
of signals transmitted in the protocol and C is a positive 
constant, "high probability" means exponentially close to 
1, and "nearly uniformly distributed" means with a prob- 
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ability distribution exponentially close to the uniform dis- 
tribution. 

And wc conclude: 

Theorem 1. Security of BB84 against basis- 
independent attacks. The BB84 protocol is secure if 

Eve launches a basis-independent attack. Secure final key 
can be extracted from sifted key at the asymptotic rate 

i? = Max(l-2JJ2((5),0) (5) 

where S is the bit error rate found in the verification test 

(assuming S < 1/2). 

To reiterate, two error rates are relevant to whether 
quantum key distribution is successful. The bit error 
rate is "measured" by conducting a verification test on a 
randomly sampled subset of the sifted key bits; that is, 
the observed bit error rate S found in the test provides 
an estimate of the error rate S in the key generating bits 
that is accurate with high probability. If S is low enough, 
we can be confident that error correction will succeed, so 
that Alice and Bob share a common key. The phase error 
rate 5p is not measured by direct sampling — rather an 
upper bound Sp < Sp + e is inferred from the bit error 
rate. If the inferred phase error rate Sp is low enough, 
we can be confident that phase error correction (if done) 
will succeed, so that Eve will have a negligible amount of 
information about the key. 

If the adversary has no knowledge of the basis, then 
with high probability the gap |5p — 5| between the bit 
and phase error rates is asymptotically negligible, and 
the inference is straightforward. For example, if the ef- 
fect of Eve's attack is to apply X to Bob's qubit, this 
action will induce a bit error if Alice and Bob both mea- 
sure Z to generate a key bit in the entanglement-based 
protocol, and it will induce a phase error if Alice and 
Bob both measure X. Since Eve doesn't know the basis, 
her action generates bit errors and phase errors with the 
same probability. But in this paper, going beyond Shor's 
and PreskilFs original argument, we will allow Fred to 
know the basis, enabling him to enhance Sp relative to S. 
In many cases of interest, the basis dependence of Fred's 
attack is limited; we can infer an upper bound Sp < Sp + e 
and so through Eq. (4) establish an achievable key length. 

In the BB84 protocol, Alice and Bob can measure both 
the error rate Sx when they use the X basis and the er- 
ror rate Sz when they use the Z basis. These rates need 
not be equal even if Eve does not know the bases that 
Alice and Bob use. For example. Eve might measure in 
the Z basis each qubit she receives from Alice, and re- 
send to Bob the Z eigenstate found by her measurement, 
resulting in expected values Sz = and Sx = 1/2. We 



emphasize that S and Sp should not be confused with Sz 
and Sx- The bit error rate S « {Sx + Sz) /2 is observed 
in the verification test, but the phase error rate Sp is not 
directly "measured" in the protocol.^ 



IV. MODEL DEVICES 

Because the Shor-Preskill argument, both in its orig- 
inal incarnation and in its extension to basis-dependent 
attacks, makes use of an EDP, there are limitations on 
the sources and detectors to which it applies. In the 
entanglement-based protocol, Alice and Bob both mea- 
sure qubits, in either the X basis or the Z basis — what 
we will call standard measurements. In the correspond- 
ing prepare and measure protocol, Alice's source need not 
emit a qubit, but whatever it emits can be simulated by 
a standard measurement performed on half of a bipartite 
state [22]. The state that arrives at Bob's detector also 
might not be a qubit, but the measurement can be real- 
ized as a standard measurement preceded by an operation 
that "squashes" the incoming state to a two-dimensional 
Hilbert space. 

To be more specific, the source model that we adopt is 
as follows: Alice's source emits a state in a Hilbert space 
A, where A can be arbitrary, and she launches a state 
by acting on an auxiliary qubit A'. Alice's basis choice 
a G {0, 1} is determined by flipping a coin. Then a state 
Pa of Ha ® Ha', which can depend on the basis a, is 
prepared by Fred. Alice proceeds to perform a standard 
measurement on her qubit A' in the basis indicated by a; 
that is, a Hadamard transformation is performed on A' 
if and only if a = 1, and then Alice measures the qubit 
in the Z basis. Her measurement determines her key bit: 
5 = for outcome -1-1, g — 1 for outcome —1. (Note 
that, depending on the state pa, the key bits g = 0,1 
need not be equiprobable.) If Fred's states po and pi 
are close to one another, then the states emitted by the 
source, averaged over the key bit, depend only weakly on 
the basis. 

Actually we can generalize this source model to allow 
successive emissions to be correlated with one another. 
Now let A' denote a system of n qubits, A the system in 
which Alice's n signals reside, and pa a state of 
the state pa may depend on the n-bit string a that spec- 
ifies Alice's basis choice for each of the n signals. Alice 
applies a Hadamard transformation to the ith qubit if 
and only if = 1, then measures the qubits in the Z ba- 
sis. The measurement outcomes determine her n-bit key 
g. Some of the results we report in this paper (Theorem 
2, for example) apply to this more general source model. 



^If Alice and Bob perform a refined error analysis [25] (measuring separate error rates for the two bases), they can improve 
the key generation rate to R = 1 — i?2(<5z) — H2{5x) [23]. 
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FIG. 1. Roles of Alice, Bob, Eve, and Fred in the key 
distribution protocol. Fred prepares an entangled state pa 
(which may depend slightly on Alice's basis choice a) of Al- 
ice's n-qubit Hilbert space A' and the signal space A; then 
Alice triggers the source by performing a standard measure- 
ment on A' . Eve applies an arbitrary basis- independent at- 
tack, and then Fred applies a channel £b (which may depend 
slightly on Bob's basis choice b) that "squashes" the signals 
from the Hilbert space B to the n-qubit space B' . Finally, 
the qubits in B' are subjected to a standard measurement by 
Bob. The goal of the protocol is to generate a key that is not 
known by Eve and Fred, who may communicate freely after 
Bob measures. 

The n signals emitted by the source arc attacked by 
Eve, who sends to the detector a state that lives in a 
Hilbert space Hb- We model the detector as follows: 
Bob's basis choice b e {0, 1}®" for the n signals is de- 
termined by flipping n coins. Then Fred applies to the 
state received by the detector a quantum channel £b that 
"squashes" Hb to the n-qubit space Hb' this squash op- 
eration may depend on the basis b. Bob proceeds to per- 
form standard measurements on the qubits; a Hadamard 
is performed on the ith qubit if and only if 6j = 1, then 
Bob measiircs the qubits in the Z basis. The measiirc- 
ments determine his n-bit key h : hi ~ ii the outcome 
of the measurement of the ith qubit is +1 and hi = 1 
for outcome —1. Since the channel taking He to TCb' 
can act collectively on the incoming signals, our model 
allows the detector to perform a collective measurement 
on the n signals it receives. The basis-dependence in the 
detector's performance is encoded in Fred's channel £b- 

The prepare-and-measure BB84 protocol, for the 
source and detector models we have described, is depicted 
in Fig. 1. It can be related to a protocol in which entan- 
gled pairs of qubits are prepared by Eve (with help from 
Fred). Half of each pair is delivered to Alice, half to 
Bob, and they then proceed to perform standard mea- 
surements. The security of this latter protocol follows 
from the security of the corresponding EDP. Therefore, 
for this model of source and detector, we can use the 
Shor-Preskill method to analyze the security of BB84. 

It may be instructive to contrast our models of the 
source and detector with those considered in the proofs 
of Mayers [2] and Koashi and Preskill [6] . Mayers allows 
the detector to perform an arbitrary two-outcome POVM 
on each signal it receives, while in our model the POVM 
must be one that can be realized by a squash followed by 
a standard measurement. In principle, our model entails 



no loss of generality, since the Mayers POVM could be 
followed by the preparation of a qubit in a state chosen so 
that the standard measurement will reproduce the out- 
come of the POVM. However, our security proof works 
only if the channel £b applied by Fred depends sufficiently 
weakly on the basis b, while Mayers requires no such 
condition. Koashi and Preskill consider a source that 
can be realized by the preparation of a basis-independent 
state of an bipartite system, followed by an arbitrary 
two-outcome POVM on half of the system, while in our 
model the POVM must be a standard measurement of 
a qubit. For the signals emitted by a general Koashi- 
Preskill source, though it would be possible to launch 
the same signals by performing a standard measurement 
on a qubit, this can be done only by choosing bipartite 
states that depend strongly on the basis, and our security 
proof works only when the dependence of the states on 
the basis is sufficiently weak. Therefore, our analysis of 
security does not apply to the general Mayers detector or 
the general Koashi-Preskill source. On the other hand, 
Mayers does not allow Fred to attack the source, Koashi 
and Preskill do not allow Fred to attack the detector, and 
the signals emitted by the Koashi-Preskill source reveal 
no information about the basis used. In contrast, our 
model allows the performance of both the source and the 
detector to depend on the basis, and allows the source to 
leak some information about the basis. 

Another noteworthy difference between our model and 
those of Mayers and Koashi-Preskill is that our model 
allows Alice's source to emit successive signals that are 
entangled with one another, and allows the detector to 
measure the signals collectively. In contrast, Koashi and 
Preskill assume that the signals emitted by Alice's source 
are unentangled with one another, and Mayers likewise 
assumes that the signals are detected by Bob individu- 
ally rather than collectively. This assumption is used be- 
cause a crucial step in the Mayers proof is to show that 
Eve's information about Alice's key would be unchanged 
if Bob were to flip the basis in which he measures the 
key bits, but not the basis in which he measures the test 
bits. A general collective measurement of the signals by 
Bob would generate correlations between key bit mea- 
surements and test bit measurements; therefore, when 
Bob announces the outcome of his measurements of the 
test bits he might reveal to Eve some information about 
his choice of basis for the measurement of the key bits. 
For this reason, we do not know how to justify the in- 
variance of Eve's information under the basis flip in the 
case of a collective measurement (though it is not in- 
conceivable that the argument can be extended to cover 
that case). Similarly, the Koashi-Preskill proof uses the 
property that Eve's information about Bob's key would 
be unchanged if Alice were to flip the basis in which she 
sends the key bits but not the basis in which she sends the 
test bits, which cannot be justified unless Alice's signals 
are unentangled. 

Our model of the detector can easily be generalized by 
endowing the detector with imperfect efficiency, so that 
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it sometimes misfires and fails to record an outcome. One 
simple modification attaches an additional flag bit di to 
each of Bob's qubits. If di = 0, then the ith qubit is 
measured as above, but if di = 1 then the ith qubit is 
discarded and no outcome is recorded. 

Detector inefficiencies and other types of losses can 
be incorporated into the Shor-Preskill security analysis 
easily enough. Through public discussion, Alice and 
Bob can eliminate from their sifted key all signals for 
which Bob failed to record a measurement result. In the 
entanglement-based protocol, then, we consider an EDP 
applied to all the pairs from which sifted key bits will be 
successfully extracted when the measurements are per- 
formed. That is, before the EDP is applied we discard 
all pairs for which Alice and Bob chose different bases or 
for which the detector misfired, as well as the pairs con- 
sumed by the verification test. Security is then proven if 
we can infer from the test that, with high probability, the 
remaining pairs have sufficiently low rates of bit errors 
and phase errors. However, this inference must take into 
account any basis dependence in the detector efficiency 
that might contribute to the gap between 6 and 6p, as 
we will discuss further in Sec. XIII. Basis-dependent de- 
tector inefficiencies are more problematic for the Mayers 
argument, since the basis dependence may spoil the in- 
variance of Eve's information about Alice's key when Bob 
ffips his basis for the key bits (but not the test bits). 



V. REAL DEVICES 

We are interested in analyzing the security of quan- 
tum key distribiition with imperfect equipment because 
we seek assurance that our protocols are secure not just 
in an ideal world but also in the real world. Therefore, 
the inherent limitations of our source and detector mod- 
els should be soberly contemplated. 

For example, real sources typically emit not qubits but 
bosonic modes of the electromagnetic field, and if the 
likelihood that a mode is multiply occupied is too high, 
security may be compromised. To evaluate this security 
threat in our limited framework, we will need to adjust 
our source model (as we will discuss in Sec. XII) to incor- 
porate the relevant features, even if not all the detailed 
physics, of the real source. 

A similar comment applies to detectors. In a typical 
detector setup for BB84, the incoming photonic mode en- 
counters a polarizing beam splitter that routes the Z — 1 
and Z = —1 polarization states (or the X = ±1 states) to 
two different photon detectors — threshold detectors that 
do not distinguish one photon from many. If one or the 
other detector fires, the polarization state is identified. 
But if more than one photon is present, both detectors 
might fire, an ambiguous result. If Bob is equipped with 
such a detector, Eve can trigger the ambiguous result at 
will by flooding the detector with photons. Even more 
troubling. Eve can arrange that Bob receive the ambigu- 



ous result if he chooses one basis but not the other. For 
example. Eve can intercept and measure in the Z ba- 
sis the signal emitted by Alice, and then send on to Bob 
many Z-polarized photons in the state she detects. Then 
Bob will reproduce Eve's result if he measures in the Z 
basis, but will obtain the ambiguous result if he mea- 
sures in the X basis [27]. Thus, by exploiting the flaw 
in the design of the detector, Eve can launch a "Trojan 
horse" attack, in effect switching Bob's detector off when 
it is poised to detect eavesdropping [28]. Although our 
detector model may not fully incorporate all the physics 
of the polarization beam splitter, we will nonetheless be 
able to investigate in Sec. XIII the power of a Trojan 
horse attack within an EDP framework. 



VI. CHOOSING THE BASIS QUANTUMLY 

For a security analysis that is applicable to BB84 per- 
formed with imperfect equipment, we wish to bound the 
adversary's information in the case of an attack that de- 
pends weakly on the basis used to send and detect the 
signals. For this purpose, we should find a precise for- 
mulation of what it means for the basis dependence to 
be "weak." Therefore, let us focus attention on the coins 
that Alice and Bob flip to determine their random choices 
of basis. An attack that depends weakly on the basis is 
one that depends only slightly on the outcomes of the 
coin ffips. 

In the entanglement-based protocol as we have de- 
scribed it up to now, the coin flip is treated classi- 
cally, and the outcome of the flip determines whether 
a Hadamard transformation is applied to a qubit before 
it is measured in the Z basis. Denote by ai G {0, 1} 
the outcome of the flip of the ith coin and by the length 
n string a the outcome of the flip of n coins. (In the 
BB84 protocol, Alice and Bob flip separate coins. But 
for our security analysis we may confine our attention to 
the sifted key, for which their coin flips agree; therefore 
in effect there is only one basis choice at for each signal.) 
Denote by H{a) the operation which applies a Hadamard 
to the ith qubit if a,; = 1 and the identity to the zth qubit 
if Oi =0. Then in the setting where Eve knows nothing 
about the basis choice, the effect of the randomly applied 
Hadamards by Alice and Bob (after the attack by Eve) 
is to transform the state of the n pairs according to 

a=0 

Then since H(b)H(a) = H{a © b), p' has the property of 
Hadamard invariance: for any bit string 6, 

{B{h) B{h)) p' {H{h) H{h)) = p' . (7) 

In the Shor-Preskill argument, this symmetry of p' is used 

to infer that the bit error rate and phase error rate of the 
key generating pairs are, with high probability, nearly 
the same. 
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In order to analyze (weakly) basis-dependent attacks, 
it is convenient to treat the coin flip quantumly rather 
than classically — we can imagine that each coin is in a 
coherent superposition of heads and tails, and that the 
Hadamard transform is conditioned on the state of the 
coins. In the ideal protocol, the n coins are prepared in 
the state 



^(|0) + |l» 



0n 



1 



(8) 



a=0 



and the Hadamard is applied to the ith pair if a; = 1 
therefore, if is the state of the pairs, then the effect 
of the random basis choice can be expressed as 



I*) (g) \a) (H(a) ® H(a)) |*) ® \o.) 



(9) 



When we trace over the state of the coin, the effect on 
the quantum state of the pairs is just as in eq. (6). 

Now, in this formulation, it is easy to describe the 
distinction between Eve's basis-independent attack and 
Fred's basis-dependent attack. Eve interacts only with 
the pairs, but Fred is permitted to tamper with both the 
pairs and the coins, as in Fig. 2. In the actual proto- 
col, the coin is classical, but it will not make Fred any 
less powerful if we allow him to attack a quantum coin 
instead. (When we say that the coin is "classical," we 
mean Fred's attack is a quantum operation applied to 
the pairs that is conditioned on the state of the coin in a 
preferred basis. We will prove security for general attacks 
by Fred with weak dependence on the state of the coin, 
so our results will apply in particular to the case of a 
classical coin.) Furthermore, it is easy to state precisely 
what it means for the attack to depend only weakly on 
the basis: the basis dependence is weak if Fred's attack 
disturbs the coin only slightly. This notion of weak basis 
dependence applies even if we allow Fred to attack the 
signals twice, at the source (before Eve's attack) and at 
the detector (after Eve's attack). Actually, once we intro- 
duce the quantum coin in this way, it is not so important 
to keep Fred in the picture at all — we can go back to 
the usual picture in which there is only one adversary, 
but limit Eve's attack on the coin. 

Definition. A-balanced attack. Suppose that after 
n pairs and the n corresponding coins are attacked by 

the adversary (but before the final Hadamard transfor- 
mations, conditioned on the coins, that precede the mea- 
surement of the pairs in the Z basis), the n coins are all 
measured in the X basis. The attack is A-balanced if, 
with high probability, the number of coins for which the 
measurement outcome is X = —1 is less than nA. 

If A s=; 0, the attack is balanced — that is, basis- 
independent. We will prove in Sec. VII that if the at- 
tack is A-balanced and A is sufficiently small, then se- 
cure quantum key distribution is possible, and we will 
obtain a lower bound on the achievable key generation 
rate. Later we will discuss some more specific examples 




of A-balanced attacks, and for some of those attacks we 
will obtain stronger lower bounds on the rate. 

Measure X 

Measure Z 
Measure Z 

FIG. 2. The quantum coin. The basis choice for the detec- 
tor (and the source) is determined by measuring a qubit (the 
coin) in the Z basis. To generate each bit of sifted key, a con- 
ditional Hadamard transformation, controlled by the coin, is 
applied to the signal qubit, and then the signal qubit is mea- 
sured in the Z basis. Fred's basis-dependent attack on the 
signal can be described as a joint attack on the coin and the 
signal. To quantify how the coin is disturbed by Fred's at- 
tack, we consider measuring the coin in the X basis after the 
attack and before the conditional Hadamard. 

We emphasize again that for a security analysis it suf- 
fices to imagine that Alice and Bob share a single quan- 
tum coin that determines the choice of basis for each 
signal. Of course, in the BB84 protocol, Alice and Bob 
use separate classical coins to determine whether to use 
the Z basis or the X basis. But the quantum coin is 
not intended to provide an accurate portrayal of the ac- 
tual protocol; it is a mathematical device for analyzing 
the impact of the basis dependence of the attack. For the 
purpose of this analysis, we replace the two classical coins 
by a single quantum coin only after discarding the cases 
in which Alice's classical coin flip and Bob's classical coin 
flip yield different outcomes. 

We have seen that for the analysis of the BB84 pro- 
tocol, it is convenient to imagine that Alice delays the 
measurement that launches her signals until after Eve's 
attack. That way, wc can relate the classical privacy am- 
plification in BB84 to an EDP, and so establish security. 
Here we are taking this idea a step further. It is conve- 
nient to imagine that the measurement of the coin that 
determines the basis is also delayed until after the attack 
by Eve and Fred. That way, we can infer a bound on the 
asymmetry between the bit error rate and the phase er- 
ror rate for pairs subjected to the EDP, and so establish 
that the EDP wiU be effective. 



VII. SECURITY PROOF FOR SMALL 
BASIS-DEPENDENT FLAWS 

To analyze security, we'd like to relate the asymmetry 

of the coin (as parametrized by A) to the gap between 
the bit error rate 6 and the phase error rate dp when the 
pairs are measured in the Bell basis. First we need to 
write down a convenient expression for this gap. 

In the entanglement-based protocol, the random vari- 
ables n6 and nSp are defined as the number of bit errors 
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and phase errors that would be found if the n key gen- 
erating pairs were all measured in the Bell basis. For a 
particular pair, consider the observable 



1 



{z®z-x®x) = \r){r\-\i^+){i>+\ , (10) 



where \(f) ) and |'^"'") are the Bell states 

ir> = ^(|oo)-|ii)) , 

|V+) = ^(|01) + |10)) . 



(11) 



This observable has eigenvalues { + 1,0,-1}. If the pair 
is to be measured in the Z basis, we say that there is 
a bit error \i Z ® Z = —1 and that there is a phase 
error if X X = —1. Therefore, the eigenvalue of 
^{Z®Z — X®X) is —1 if there is a bit error but no phase 
error, +1 if there is a phase error but no bit error, and 
if either there are no errors or both a bit error and a 
phase error. Similarly, if the pair is to be measured in the 
X basis, we say that there is a phase error li Z ® Z = —1 
and that there is a bit error \i X ® X = —1. Therefore, 
the eigenvalue of ^{Z (g) Z — X (g) X) is +1 if there is a bit 
error but no phase error, —1 if there is a phase error but 
no bit error, and if either there are no errors or both a 
bit error and a phase error. 

Suppose that the basis choice is decided by flipping a 
coin, where the pairs are to be measured in the Z basis 
if the outcome of the coin flip is |0) (Zcoin = 1), and the 
pairs are to be measured in the X basis if the outcome 
of the coin flip is |1) {Zcoin = — 1)- Then the observable 



is measured first, and that the other measurements are 
completed later — the probability distribution for ngap 
will be the same either way. In any case, our expres- 
sion for rigap is valid even if there are strong correlations 
among the pairs and the coins. 

If we imagine that all of the coins are measured in the 
X basis (as in the definition of a A-balanced attack), 
then the random variable that represents the number of 
coins for which the outcome is X = —1 can be expressed 
as 



pair,i 



:(^-^)c 



(14) 



1=1 



We wish to obtain a bound on ngap that will hold with 
high probability for any possible state of the pairs and 
the coins such that n^^^ is less than nA with high prob- 
ability. It is convenient to express the gap as a sum of 



( z) ^ 

two terms, rigap = rigap + ^^gap^ and to bound each term 
separately. First, consider 



{X) 



gap 



1 



pair, 3 



(15) 



For each value of i, imagine that we perform two succes- 
sive controUed-NOT gates, one with Alice's qubit as the 
control and the coin as the target, and the other with 
Bob's qubit as the control and the coin as the target. 
Acting by conjugation, the effect of these gates is 



{Z Z)pair O 
{I O -f)pair O 



* {I O /)pair O Z^. 
{I O -f)pair O 



(16) 



{Z^Z-X^X)p^.^(g)Z, 



(12) 



has the eigenvalue —1 if the pair has a bit error but no 
phase error, the eigenvalue -|-1 if the pair has a phase er- 
ror but no bit error, and the eigenvalue otherwise. We 
see, then, that for the n key generating pairs, the gap 
between the number of phase errors and the number of 
bit errors can be expressed as 



n, 



gap 



n\dp — 6 



n ^ 



(13) 



Eq. (13) means that rigap is a random variable whose 
probability distribution is the distribution of outcomes if 
the observable on the right-hand side of eq. (13) is mea- 
sured. We might imagine that Z ^ Z and X <S) X are 
measured for every pair (this is a complete Bell measure- 
ment) and that Zcoin is measured for every coin; then 
rigap is found by summing up all the results of these 
measurements. But since the Bell measurements and the 
coin measurements all commute with our expression for 
rigap in eq. (13), we could just as well imagine that rigap 



Therefore, this change of basis has no effect on the statis- 

while transforming the ob- 



servable rigfp according to 



gap 9 



n. 



(2) 



where 



i=l 



(17) 



(18) 



(the number of coins for which Z = — 1, if all n are mea- 
sured in the Z basis). 

We are interested in analyzing how the statistics of 
rigap is related to the statistics of ri^^^. Let p denote the 
state of the n coins and the n pairs, and suppose that 
the controlled-NOT gates described above transform this 
state to a new state p' . We see that the statistics of n^^^ 
and rigap in the state p is identical to the statistics of 



AX) 



'^coin s-nd § — '^ifin the state p' . Therefore, to derive 
a relation between n^gj^ and rigap that holds with high 
probability for an arbitrary state p, it suffices to analyze 



how n^fi'ji and n^^;^ are related for an arbitrary state p' . 
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For this wc appeal to the following lemma, which asserts 

that if n^oiij is small, then rv^^l^ is close to n/2: 

Lemma 1 For a quantum state of n coins, suppose that 
■with high probability n).^^^ < nA. Then, for any positive 
e, with high probability 

K2-n(il<n(/(A)+£) , (19) 

where A and /(A) are related by 

H2{l/2-f{A))+H2{A) = l. (20) 

Proof: The proof for the case of a pure quantum state 
\tl)) of n coins, where n^-^^ < nA with probability 1, is in 
Appendix A of [26] . But if instead n^^^ < nA with high 
probability, we can write 1^/)) = \ip)good + |''/')bad) where 
the (unnormalized) state |'0)good has n^-^^ < nA with 
probability 1, and || V-'bad |1 is exponentially small. Hence 
|'0)good) and therefore also \ip), has the property eq. (19) 
with high probability. Therefore, Lemma 1 holds for pure 
states. Now, a mixed state can be realized as an ensemble 
of pure states. By the hypothesis of Lemma 1, all of the 
pure states in this ensemble, except for those occuring 
with exponentially small probability, satisfy n^"^^ < nA 
with high probability, and therefore also satisfy eq. (19) 
with high probability. This proves Lemma 1. 

We note that by expanding H2{l/2 — f) as a power 
series in /, and using the convexity of H2, we can derive 
from eq. (20) a useful inequality satisfied by /(A): 

(/(A))'<i(ln2)7?2(A) . (21) 

Expanding this expression for small A and using convex- 
ity again, we obtain 

Prom Lemma 1 and eq. (17), we infer that, for a A- 
balanced attack, |ngfp| < n(/(A) + e) with high prob- 
ability. A similar argument shows that also |ng^^| < 
n(/(A) + s) with high probability, where 

1 " 

4ap^ = - 9 E ® ^)pairs,i ® ^coin,i • (23) 
^ i=l 

(For this argument, we apply Hadamard transformations 
to all pairs before applying the CNOT gates.) Since 
%ap = ngfl + ng^p , we have proved: 

Lemma 2 For a A-balanced attack on n pairs and n 
coins, the state of the pairs has the property 

\6^-~5\<2{f{A)+e) (24) 

with high probability, for any positive e. 



With Lemma 2 in hand, wc can now complete the 
proof of security following the steps outlined in Sec. III. 
If the error rate found in the test is 5, then the num- 
ber of bit errors in the key-generating pairs is less than 
n{5 -h e) with high probability (assuming that Eve's at- 
tack passes the test with a probability that is not expo- 
nentially small). For a A-balanced attack, we infer that 
the number of phase errors in the key-generating pairs 
is less than n{5 + 2/(A) + e) with high probability. By 
introducing a random permutation (not known by Eve 
or Fred) we can ensure that the errors are randomly dis- 
tributed among the pairs. Therefore, for a suitable CSS 
code, high fidelity pairs (and hence secure key) can be 
extracted at a rate I ~ H2{5 + e) - H2{5 + 2/(A) -|- e), 
for any positive e. We have proved: 

Theorem 2. Security of BB84 against weakly 
basis-dependent attacks. The BB84 protocol is secure 
if Eve and Fred launch a A-balanced attack. Secure final 
key can be extracted from sifted key at the asymptotic rate 

R = Max{l-H2{5)-H2{5 + 2f{A)),0) (25) 

where 6 is the bit error rate found in the verification 
test and /(A) is defined as in eq. (20). {We assume 
S + 2f{A) < 1/2.) 

We note that the key generation rate found in Theorem 
2 is nonzero only for 2/(A) < 1/2, or A < .0289. 

Theorem 2 is our central result concerning security for 
equipment with generic flaws. In the remainder of this 
paper, wc will analyze some specific examples. As we 
will see, for some special cases we can establish a key 
generation rate exceeding the rate eq. (25) found for the 
general case. 

VIII. INDIVIDUAL SOURCE FLAWS AND A 
PERFECT DETECTOR 

As our first application of Theorem 2, we consider the 
case where the detector is perfect, but the source is sub- 
ject to individual flaws that may leak some information 
to Eve about Alice's basis choice. We will prove security 
by showing that the attack is A-balanced. 

Suppose that Alice's source emits one of four possible 
states of a single qubit. In the ideal protocol, these states 
are the four BB84 states, chosen cquiprobably. Suppose, 
though, that the source is imperfect, so that the four 
states differ from the corresponding BB84 states, but 
only slightly. 

Let a £ {0, 1} denote Alice's declared basis choice (ide- 
ally, the Z basis for o = and the X basis for a = 1) 
and let g € {0, 1} denote Alice's key bit. Suppose that 
a and g are chosen with the joint probability Pa,g, and 
that once the values of a and g are chosen, Alice's source 
emits a state pa.g- The Koashi-Preskill analysis applies if 
Po.oPo.o +Po,iPo,i = Pi,oPi,o +Pi,iPi,i, the case in which 
the source does not reveal any information about a. We 
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will say that the source is oblivious when it has this prop- 
erty. Now we are interested in the case were the source 
is nonoblivious it leaks a small amount of information 
about the basis choice. 

We can characterize the flawed source by imagining 
that Alice prepares her states by performing an ideal 
measurement on half of an entangled pair. The state 
of the pair (prior to Alice's measurement) is po for a = 
and pi for a — 1. The basis-dependence of the source is 
weak in the sense that the states po and pi differ only 
slightly — their fidelity is close to one: 

VF(po,Pi) = IIVP^VpTlltr >l-2e, . (26) 

If n signals are sent, the state that Fred prepares is 
a product state: (^"^j^ pa} , where denotes the basis 

choice for the «th signal, and \J F{pq^ , p^f') > 1 — 2es for 
each i. Thus we say that Fred's attack on the source is 
individual, and that the basis-dependence is character- 
ized by Eg- We will suppose for now that any flaws in the 
detector are basis independent, so that Fred attacks only 
the source. 

The states po and pi may be mixed in general, but 
they can be "purified" by introducing a suitable "envi- 
ronment" E; that is, there are pure states |\l/o) and l^*!) 
such that 

trij(|4'o)(*o|) = Po , tri5(|*i)(*i|) = pi . (27) 

Furthermore, it follows from eq. (26) that the purifica- 
tions can be chosen to have a large overlap [29,30]: 

Re (*i|*o) > l-2e, . (28) 

Now suppose that, as in Sec. VI, we imagine that the 
basis choice is determined by a "quantum coin." Then, 
the state of the coin, the pair, and the environment can 
be described as a pure state 

-^(|^'o)®|0) + |*i)®|l)) . (29) 

If the state of the pair used by Alice to prepare her signal 
depends on the choice of basis, then the coin will be en- 
tangled with the pair and environment, and the strength 
of this entanglement will depend on how much |\l/o) and 
l^i) difiier. Of course, the quantum coin is merely a 
mathematical fiction that we invoke for the purpose of 
analyzing the basis dependence of the pairs that are used 
to generate the key in the entanglement-based key dis- 
tribution protocol. Furthermore, the state of the pairs 
does not depend on how we choose the purifications of 
Po and pi . But the state of the coins does depend on this 
choice, and we may exploit our freedom in choosing the 
purifications to obtain the strongest possible bound on 
the basis dependence of the pairs. 

Since we are assuming that any flaws in the detec- 
tor are basis independent, these may be absorbed into 



Eve's basis-independent attack. Then since Eve's attack 
has no effect on the coins, the state of any coin can be 
completely characterized by tracing out the pair and en- 
vironment from eq. (29). If the state of the coin is now 
measured in the X basis, the outcome X = —1 occurs 
with probability 

P=^lll*o)-|*i) f 
= ^(l-Re (*i|*o)) <£. . (30) 

Because the attack is individual, the coins are indepen- 
dent and this bound on p applies to each one of the n 
coins; therefore we conclude that the attack is (e^ -|- e)- 
balanced, for any positive e. Hence from Theorem 2 we 

obtain 

Theorem 3. Security of BB84 for a source with 
individual weakly basis-dependent flaws. Suppose 
that the flaws in the detector are basis-independent, and, 
that the flaws in the source are individual. The ith signal 
sent by Alice is prepared by performing a standard qubit 
measurement on half of an entangled state — this state 
is Pq when the Z basis is declared and p^*' when the X 

basis is declared, where \J F{pq \ p^f' ) > 1 — 2£s for all 
i. Then the BB84 protocol is secure, and secure final key 
can be extracted from sifted key at the asymptotic rate 

R = Max (1 - H2{5) - H2{S + 2/(e,), 0) (31) 

where S is the bit error rate found in the verification 
test and /(£«) is defined as in eq. (20). {We assume 
d + 2f{es) < 1/2.) 

Note that in the formulation of Theorem 3 we have 
assumed that all signals are detected — we have not 
considered the effects of loss in the channel or imper- 
fect detector efficiency. In principle. Eve can ampliiy the 
basis-dependence of Fred's attack by eliminating some of 
the signals. In the worst case, the coin is an X = 1 eigen- 
statc for each of the signals that Eve removes. Then, if 
a fraction / of all the signals are lost, A is enhanced 
according to 

A ^ A' < A/(l - /) . (32) 

The effects of loss will be discussed further in Sec. XII 
and Sec. XIII. 



IX. IMPERFECT OBLIVIOUS SOURCE AND 
IMPERFECT DETECTOR 

We recall that Koashi and Preskill [6] proved the secu- 
rity of BB84 in the case where the detector is perfect and 
the signals emitted by the source, when averaged over the 
key bits, are basis independent (an oblivious source). The 
situation they considered can be depicted as in Fig. 3. 
In effect, Eve prepares an entangled state of n qubits. 
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which are dcHvcrcd to Bob, and n general signals, which 
are delivered to Alice. To generate the sifted key, Alice 
performs an uncharacterized measurement on each of her 
n signals, and Bob performs a standard measurement on 
each of his n qubits. By simply reversing the roles of 
Alice and Bob, we obtain the situation considered by 
Mayers, in which the source is perfect and the detector 
is uncharacterized [2]. 



anything 



Uncharacterized 
Measurement 




Measure Z 



FIG. 3. An uncharacterized oblivious source and a perfect 
detector. Eve prepares an entangled state of n signals and 
n qubits. Alice prepares an uncharacterized measurement on 
the n signals and Bob performs standard measurements on 
the n qubits. Interchanging the roles of Alice and Bob, we 
obtain the case of a perfect source and an uncharacterized 
detector. 

We will now consider a special case of the Koashi- 
Preskill source: the source is oblivious, but we further 
assume that the source can be realized by the prepara- 
tion of a basis-independent entangled state of the signal 
space and a qubit, followed by a basis-dependent channel 
applied to the qubit, and finally a standard measurement 
of the qubit. However, we will go beyond Koashi and 
Preskill by allowing the detector to have basis-dependent 
flaws, as shown in Fig. 4. Actually, it will be no harder 
to analyze the more general case shown in Fig. 5: Eve 
prepares an arbitrary state of n entangled signals, which 
is mapped by Fred to a state of n pairs of qubits; then 
the pairs are distributed to Alice and Bob, who perform 
standard measurements. An important feature of this 
setting is that, although Fred's channel can depend on 
the basis in which Alice and Bob measure, there is no 
way for Fred to convey any information about the basis 
to Eve. In this sense the source is oblivious. 



-Measure Z 




H — Measure Z 



FIG. 4. An oblivious source and an imperfect detector. 




-Measure Z 



H — Measure Z 



FIG. 5. Stronger version of the attack in Fig. 4. 

We will further assume that the channel applied by 
Fred is a product of n individual channels, and that each 
of these n channels depends only weakly on the basis. 
For analyzing the impact on the quantum coin, it will be 
convenient to characterize the basis dependence of Fred's 
attack as follows: A channel £ that takes Eve's arbitrary 
pair to a pair of qubits can be realized by its dilation, an 
isometric embedding U of Eve's space into the space of 
the qubit pair and a suitable ancilla. Thus Fred's basis- 
dependent individual attack can be expressed as the ten- 
sor product Ua = 0iLi C/a!\ where i labels the pairs, 
and tti denotes the basis choice for the zth signal. Fur- 
thermore the attack depends only weakly on the basis. 



in the sense that j 



IC/, 



r(i)||2 



< £ for each i. 



"-^1 1 1 sup 

Using this characterization, we can analyze how Fred's 
attack affects the coins that determine the basis. The ba- 
sis choice is determined by n quantum coins, each a qubit 
initially prepared in the X = 1 eigenstate, and suppose 
that the initial state of the n pairs and their environment 
(before Fred's attack) is the pure state jtp). Then after 
Fred's attack, the state of the coins, the pairs, and the 
environment can be written as 



(33) 



where a is the n bit string indicating the basis choice, 
and the states {|Z; a)} are the basis states of the coins in 
the Z basis. After Fred's attack, suppose that all of the 
n coins are measured in the X basis. Let x be an n-bit 
string, and let \X-, x) denote a product of n X eigenstates, 
such that Xi = 1 for Xi = and Xi = —1 for Xi = 1. 
Then the probability that the measurement of the coins 
yields the outcome x is 



P{x) 



< 



^^C/a|^)0(X;x|Z;a) 

a 

1 {j:(-^r- u}j 



The sum in this expression can be factorized: 

^ ^(-1)-^ t/„ = i (c/« + (-!)-[/«) 



(34) 



(35) 
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Furthermore, the sup norm of a tensor product is a prod- 
uct of sup norms. Since for each i 



sup 
2 



< 1 



we have 



1 (E(-i)"-^ u^) 



<i6) 



\x\ 



(36) 



(37) 



where |a;| denotes the Hamming weight of x, and there- 
fore 



Pix) < {e[ 



(38) 



From this bound on P{x), it is elementary to show that 
the probabihty that \x\ > (e£+e')n is exponentially small 
for any positive s' and e = 2.71828 • • •. Therefore we have 

Lemma 3. A weakly basis-dependent individual 
oblivious attack by Fred is A-balanced. Consider 
an individual attack by Fred, in which Fred applies Uq to 

and applies U^ '' 

< £ 



1, where \\\U^^ -U^^^^'^ 



sup 



the ith pair if the basis choice is a 
if the basis choice is a 

for each i. This attack is A — balanced for any A> es. 

And from Theorem 2 we obtain: 

Theorem 4. Security of entanglement-based key 
distribution against weakly basis-dependent indi- 
vidual oblivious attacks.. Consider an individual at- 
tack by Fred, in which Fred applies Uq^ to the ith pair 

if the basis choice is ai = and applies if the basis 

choice is ai = 1, where \\\Uq^ — C^i'^Hsup < ^ /'^'^ ^^^'^ 

Then the entanglement-based key distribution protocol is 
secure, and secure final key can be extracted from sifted 
key at the asymptotic rate 



R = Max(l - H2{S) ~H2{5 + 2f{ee), 0) 



(39) 



where 6 is the bit error rate found in the verification 
test and f{ee) is defined as in eq. (20). [We assume 
6 + 2f{ee) < 1/2.) 

In our formulation of Theorem 4, we have chosen to 
characterize the basis-dependence of the attack in terms 
of the sup norm distance between the two isometric em- 
beddings Uq and Ui that realize Fred's channels So and 
£i . It would be more natural to use the intrinsic distance 
ll^o ^^ilU defined by the "diamond norm" [31]. But the 
proof of Lemma 3 uses the property that Uo and Ui are 
close in the sup norm; therefore if we want to reformulate 
Theorem 4 using the characterization that the channels 
are close in the diamond norm, we need to show that 
if two channels are close to one another in the diamond 



norm, then the dilations of the channels can be chosen to 
be close in the sup norm. The following lemma, proved 
in Appendix A, partially solves this problem: 

Lemma 4. Similar channels have similar dila- 
tions. Suppose that So and Si are quantum channels 
mapping a d- dimensional system S to a d' -dimensional 

system T , such that \\ Sq — Si ||o< e. Then there are 
dilations Uq and Ui of the channels (isometric embed- 
dings of S in TE, where E is dd' -dimensional) such that 
II Uo - Ui ||f^jp< de. 

However, Lemma 4 has the unpleasant property that 
the dimension d appears in the upper bound on || Uq — 
Ui 1 1 sup. In principle, the state that Eve delivers to the 
detector could have arbitrarily high dimension, and The- 
orem 4 no longer applies if we fix e while allowing the 
dimension to grow without bound. For that reason, we 
prefer to formulate the statement of Theorem 4 in terms 
of the sup norm, rather than inferring a bound on the dis- 
tance between dilations in the sup norm from a bound 
on the distance between channels in the diamond norm. 



X. MISALIGNMENT 

Suppose that Bob is unable to control the orientation 
of his detector perfectly. When he tries to measure the 
polarization of his qubit along the z-axis, he actually 
measures along an axis that lies somewhere in a cone 
around the z-axis with opening half-angle 9; similarly 
when he tries to measure along the x-axis, he can only 
guarantee that his axis is within angle 6 of the desired 
axis. This scenario is equivalent to one in which Bob's 
measurement is perfect, but Fred rotates the polarization 
of the qubit by an angle up to right before the mea- 
surement. Furthermore the rotation Fred applies may 
depend on whether Bob is trying to measure Z or X, 
possibly enhancing the phase error rate relative to the 
bit error rate. 

Suppose, in addition, that Alice is unable to control 
the orientation of her source perfectly — it too might 
be rotated by an angle up to 6 from the ideal orienta- 
tion. Equivalently, we may suppose that Alice's source is 
perfect, but that Fred rotates the qubit slightly (exploit- 
ing his knowledge of the basis) immediately after it is 
emitted by the source. One way to realize such a source 
is for Alice to prepare a perfect Bell pair \(f>^) and give 
half to Fred (who rotates his half); then Alice performs a 
standard measurement on her half. But a unitary trans- 
formation U applied by Fred to his qubit is equivalent to 
U'^ applied to Alice's (where U'^ denotes the transpose 
of U); therefore it would make no difference if Alice's 
qubit were rotated instead of Fred's. Looked at another 
way, the reason we can replace Fred's rotation by a ro- 
tation acting on Alice's qubit is that the source is obliv- 
ious — the emitted state, averaged over the key bits, is 
maximally mixed, and Fred's attack does not change this 
property. 
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In the entanglcmcnt-bascd protocol, then, the attack 
in which Fred rotates the orientation of the source and 
detector is equivalent to an attack in which pairs of qubits 
are prepared by Eve however she pleases and distributed 
to Alice and Bob, and then Fred rotates both Alice's 
and Bob's qubits slightly (by no more than 9) just before 
standard measurements are performed. Furthermore, we 
are assuming that Fred's attack is individual — the ro- 
tation he applies to the ith pair is controlled by only the 
outcome of the flip of the ith coin. Therefore, Theorem 4 
applies. We can estimate the rate of generation of secure 
key by calculating the maximum value of 



\ (1 - Re(^|£/r^[/o|V>)) 

sup — 1 n i\ ) (40) 



where Uq and U\ are unitary transformations applied to 
the pairs that are consistent with our characterization of 
the source and detector. 

It is not hard to see that the supremum occurs for 
l'^) a maximally entangled state, which, after a suitable 
choice of basis and phase conventions we may choose to 
be Fred applies separate single-qubit rotations to 

Alice's qubit and to Bob's; acting on ](/)"'"), the combined 
effect of the two is equivalent to a rotation applied to 
Bob's qubit alone, by an angle no larger than 29. The 
overlap ((/>"'"|i7]~^t/o !'/>''') is minimized (for \9\ < 7r/4) if 
f/j~^ = Uq; we may choose Uq to be the transformation 
/ f/o, where Uq is the single-qubit rotation 



f/n 







We find that 



^ U^\(l)+) = cos 29 



which implies 



|2 

I sup 



sin^ 9 . 



(41) 



(42) 



(43) 



Prom Lemma 3, then, we find that Fred's attack is 
(e sin^ 0+e)-balanced for any positive e, and we therefore 

obtain 

Theorem 5. Security of BB84 against individual 
misalignment of the source and detector. Suppose 

that, for each signal, Fred can perform a basis- dependent 
adjustment of the polarization axes of the source and de- 
tector by any angle up to 0. Then the BB84 protocol is 
secure, and secure final key can be extracted from sifted 
key at the asymptotic rate 

R = Max (1 - H2{5) - H2{5 + 2/(e • sin^ 61), O) (44) 

where S is the bit error rate found in the verification test 
and /(e • sin.^ 9) is defined as in eq. (20). {We assume 
5 + 2/(e • sin^ 61) < 1/2 and 9 < 7r/4).) 



Thus for 5 = we obtain a nonzero rate of key generation 
for 9 < 5.92°. 

We remark again that in the formulation of Theorem 5 

the misalignment of the detector or source is assumed to 
be adversarial, within the angular tolerance specified in 
our characterization of the device — Alice and Bob wish 
to conceal the key from the Eve/Fred alliance. The argu- 
ments of Mayers [2] (for detectors) and Koashi-Preskill [6] 
(for sources) apply to an uncharacterized misalignment 
that is not adversarial — Alice and Bob wish to conceal 
the key from Eve and don't care what Fred knows. In 
that case, the large potential misalignments do not re- 
duce the key generation rate below that achievable with 
perfect devices, given a specified bit error rate 5 observed 
in the test. However, the conclusion of [2] about security 
in the case of an uncharacterized detector applies only 
if the source is perfect, and likewise the conclusion [6] 
about the case of an uncharacterized source applies only 
if the detector is perfect. In contrast, our analysis applies 
to the case where both the detector and the source are 
subject to a characterized misalignment. 



XI. GENERIC INDIVIDUAL FLAWS IN SOURCE 
AND DETECTOR 



Suppose that the source and detector are both subject 
to individual fiaws that depend weakly on the basis. The 
source can be modeled as in Sec. VIII: For each signal 
to be sent, Fred first prepares a joint state of a qubit A' 
and a general system A. The state that Fred prepares 
can depend on the basis. Alice then launches the signal 
by performing a standard measurement on the qubit. If 
n signals are to be sent, Fred prepares a product state 
^^i^ipi}, where a, denotes the basis choice for the ith 
signal. Thus we say that Fred's attack on the source is 
individual. The basis dependence of the source is weak 

in the sense that \J F{pq\i 



> 1 — 2es for each i. 
We model the detector as follows: Each signal, after 
Eve's basis-independent attack, is a state of a general 
system B. The signal is received by Fred, who applies a 
channel that "squashes" the signal to a qubit B'] Fred's 
channel may depend on the basis in which Bob will con- 
duct his measurement. Then Bob performs a standard 
single-qubit measurement on the qubit. Fred's basis- 
dependent squash can be realized as a basis-dependent 
isometric embedding of B in B'E where £^ is a suit- 
able ancilla. If n signals are received by the detec- 
tor, this transformation can be expressed as the ten- 
sor product (8)7=1 C^if- Thus we say that Fred's at- 
tack on the detector is individual. Furthermore the at- 
tack depends only weakly on the basis, in the sense that 



i||C/o^''-C/}'^||2„p<£rffor eachi. 

By simultaneously allowing basis-dependent flaws in 
the source and in the detector, we are going beyond the 
analysis in Sec. VIII and Sec. IX. But we may anticipate 
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that, as in those cases considered previously, we can show 
that the attack is A-balanced for smah A, if Eg and ea are 
small. Indeed, this is the case; for example, if = £d = £ 
we can show 

Lemma 5. Suppose that the source and detector are 
subject to basis- dependent flaws. The ith signal sent by 
Alice is prepared by performing a standard qubit mea- 
surement on half of an entangled state — this state is 

Pq ^ when the Z basis is declared and p^i ^ when the X 

basis is declared, where \J F{pq \ p^^^ ) > 1 — 2e for all i. 
The ith signal received by the detector is first squashed to 
a qubit and then a standard measurement is performed. 
The squash is described by a channel that can be real- 
ized by the isometric embedding Uq^ when the Z basis 
is declared and by C/j*'' when the X channel is declared, 
where W\Uq ^ — C^j'^Hsup < ^ /^'^ each i. This attack is 
A — balanced for any A > + 4£. 

Lemma 5, together with Theorem 2, provides a proof of 
security for generic individual flaws in the source and de- 
tector that depend sufficiently weakly on the basis. We 
omit the proof of Lemma 5, which is rather long and 
unenlightcning. 

A surprising feature of Lemma 5 is the term scaling 
like ^/e in our bound on A — one might reasonably have 
expected a stronger result, that the attack is A-balanced 
for some A linear in e. However, we have not succeeded 
in proving a linear bound. 

XII. TAGGED SIGNALS 

Suppose that a fraction A of the qubits emitted by the 
source are tagged by Fred. The tag informs Eve which ba- 
sis was used, so that she can measure the qubit without 
disturbing it. Eve has no information about the basis 
used for the untagged qubits (a fraction 1 — A of the 
total). 

Note that tagged qubits arise in QKD with weak coher- 
ent states. The phase of a signal emitted by a coherent 
light source may be regarded as random if Eve has no in- 
formation about the phase [11,32], so that the signal state 
is a mixture of photon number eigenstates. If the source 
emits more than one photon, we pessimistically assume 
that Eve stores the extra photons until after the bases 
are broadcast, and then measures in the proper basis to 
learn the key bit without introducing any disturbance. 
Then the tagging probability is A = pm/pd, where pM 
is the probability of emitting a multiphoton, and is 
the probability that an emitted photon is detected (we 
pessimistically assume that all of the photons that fail 
to arrive were emitted as single photons). Arguably we 
know pm if we understand our source well, and pd can 
be measured. Hence A is a known (or at least knowablc) 
parameter characterizing a practical implementation of 
quantum key distribution. 



We can incorporate tagging into our source model by 
allowing Fred to append to each qubit emitted by Al- 
ice's source an auxiUary qutrit that conveys information 
about the basis to Eve. For a fraction A of the signals 
(Fred gets to decide which ones), he sets the value of 
the qutrit to |a), where a = indicates the Z basis and 
a = 1 indicates the X basis. For the remaining fraction 
1 — A of the qubits sent by Alice, Fred sets the qutrit to 
1 2), passing no basis information to Eve. Eve can read 
the auxiliary qutrit to learn the basis for each tagged 
qubit, and so measure the key bit without introducing 
any disturbance. If each coin that determines the basis 
choice is a qubit initially prepared in the X = I eigen- 
statc (|0) + |l))/\/2, then Fred's attack causes the coin to 
decohere in the {|0), |1)} basis if the corresponding signal 
is tagged, but leaves the coin undisturbed if the signal is 
untagged. 

It follows that the attack is (A/2-1- e)-balanced for 
any positive e, and we could prove security by applying 
Theorem 2. But in this case it is possible to prove a 
stronger result, because we know more about the quan- 
tum state of the coins. Suppose that, as in Sec. VII, 
we apply controUed-NOT gates from the pairs to the 

coins, transforming rigfp to 5 X^"=i -^coin.i- The action 
on the coin of a controlled-NOT gate preserves an X- 
eigenstate. Therefore, the probability distribution gov- 
erning the value of Ugap is the same as the probability 
distribution governing ^ -^coin.i in a state of the 

n coins with the property that n(l — A) of the coins 
are in eigenstates of X with eigenvalue -|-1. Hence with 
high probability |ngap| < nA/2 -|- s for any positive e. 
A similar argument applies to [rig^^j, and we find that 

( Z) ( X) 

Wgapl = l^gap + njrupl < + ^ fo'' any positive e. We 
conclude that secure key can be extracted from sifted key 
at the asymptotic rate 

R=l-H2{S)-H2{S-hA) , (45) 

where we have assumed that S -\- A < 1/2. 

Note that to obtain the upper bound on rigap, all that 
we needed was the property that Fred interacts with no 
more than nA of the coins. Therefore, the argument 
can be applied more broadly than to the particular tag- 
ging model that we have defined above. For example, 
it applies to a setting where there are flaws in the ran- 
dom number generators used by Alice and Bob to select 
the basis and the key bits. Suppose that for a fraction 
n(l — A) of the signals, the basis choice and the key bit 
are chosen by flipping fair coins, but for a fraction nA of 
the signals, Fred is free to choose the basis and the key 
bit however he chooses. In this model, if the source and 
the detector are perfect otherwise, Fred need not touch 
n(l — A) of the coins, and secure key can be generated at 
the rate eq. (45). (In this estimate of the rate, however, 
we have continued to assume that the qubits selected for 
the verification test are a fair sample, and so provide an 
accurate estimate of the error rate for the key generating 
pairs. The argument can be extended further to cover 
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the case where Fred is permitted to select a smaU por- 
tion of the test set, by adjusting the estimate of the error 
rate to take into account the bias in the test.) 

With a more sophisticated argument we can obtain a 
higher rate of secure key generation than eq. (45). After 
correcting errors in the sifted key (sacrificing a fraction 
H2{S) of the key, asymptotically) we imagine executing 
privacy amplification on two different strings, the sifted 
key bits arising from the tagged qubits and the sifted key 
bits arising from the untagged qubits. Since the privacy 
amplification scheme described in Sec. Ill is linear (the 
private key can be computed by applying the C2 parity 
check matrix to the sifted key after error correction), the 
key obtained is the bitwise XOR 



^untagged ® -^tagged 



(46) 



of keys that could be obtained from the tagged and un- 
tagged bits separately. If Suntagged is private and random, 
then it doesn't matter if Eve knows everything about 
staggcd the sum is still private and random. 

Therefore we ask if privacy amplification is success- 
ful applied to the untagged bits alone. Under the worst 
case assumption that the bit error rate is zero for tagged 
qubits, the overall bit error rate S is related to the bit 
error rate (^untagged for the untagged qubits by 



<^ = (1 - '^) ^untagged • 



(47) 



Since the bit errors and phase errors are related by 
symmetry for the untagged qubits, the phase error rate 
•^p.untagged for the Untagged qubits satisfies 



^p, untagged ^untagged ~\~ ^ — "^^ ^ ~1~ £' 



(48) 



with high probability. Since the error rate 6 observed in 
the test provides a good estimate of 6 for the key gener- 
ating pairs, we conclude that 



f^p, untagged 



< 



(49) 



where 5 is the bit error rate found in the verification test 
(assuming 6/{l — A) < 1/2). In particular, this rate 
of key generation is achievable, assuming that the source 
and the detector are perfect otherwise, if Fred reveals the 
basis to Eve for nA of the signals, or if Fred chooses the 
basis and key bits for nA of the signals. 

In the case where the source emits weak coherent states 
with random phases, a rate of key generation similar to 
eq. (50) was established by Inamori, Liitkenhaus, and 
Mayers (ILM) [8]. Actually, the rate quoted by ILM is 
below R in Eq. (50) — in their Eq. (18) the argument of 
i?2 in the last term is 2i5/(l — A) rather than 5/(1 — A). 
However, wc believe that their argument can be refined to 
match the rate Eq. (50). With that refinement the ILM 
result is stronger in a sense than what we have derived 
here, as it applies to the case of a general uncharacterized 
detector. 

Theorem 6 can be applied if there is loss in the quan- 
tum channel connecting Alice and Bob and/or if Bob's 
detector has imperfect efficiency, provided that the loss 
is basis-independent. For example, suppose that each 
signal emitted by Alice's source is a phase-randomized 
weak coherent state with mean photon number /z <C 1, 
so that the signal is a single photon with probability 
Pi = fj, + O (fjp) , and more than one photon with proba- 
bility pm = + O (/i'^) . We can describe these signals 
by imagining a source^ that never emits multiple photons, 
followed by a basis-dependent attack by Fred in which 
Fred interacts with a fraction pM of all the coins. Now 
suppose that Eve's attack can be modeled by a basis- 
independent lossy channel, such that a fraction rj of all 
the nonvacuum signals are detected. (Here by "basis- 
independent" we mean that Eve's attack has no a priori 
dependence on the basis, though of course Eve can ex- 
ploit the multiphotons to acquire some information about 
the basis; the important thing is that Eve can launch her 
attack without interacting with the coins.) Then a frac- 
tion pd = rj [11 + 0(/i^)) of all the signals arc detected, 
and of the coins associated with detected signals, Fred 
interacts with at most a fraction 



with high probability, for any positive e' and sufficiently 
large n. If there are n bits of sifted key, then (1 — A)n 

of these bits come from untagged qubits, and (since bit 
errors are already corrected) we can extract a private key 
by sacrificing a fraction i?2 (^p, untagged + e") of these for 
privacy amplification. Thus we have proved: 

Theorem 6. Security of BB84 against tagging. 

Suppose that Fred interacts with only nA of the n coins 
that determine the basis used by Alice and Bob. Then 
the BB84 protocol is secure, and secure final key can be 
extracted from sifted key at the asymptotic rate 

R = Max (^{1 - A) - H2{6) - (1 - A)H2 (y4a) ' ° 

(50) 



A = pm/pd = ^{ti + 0{n^)) . 
Sifted key is generated at the rate 

1 1 2 a 



(51) 



(52) 



where f is the repetition frequency of the source. There- 
fore, if A (and hence also the rate R of generation of final 
key from sifted key) is held fixed as r/ gets small, then the 
overall key generation rate ^vp£,R is 0{rf ), as ILM ob- 
served [8] . This scaling of the rate with 77 holds approxi- 
mately as long as dark counts in the detector are not too 
important, so that the bit error rate 8 is roughly indepen- 
dent of rj. In some current implementations of quantum 
key distribution using weak coherent states transmitted 
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through optical fibers, dark counts are relatively unim- 
portant, and our analysis of security is applicable, up to 
a range of approximately 20 km. 

Theorem 6 applies if Fred tags any nA of the signals. 
But it does not apply to a coherent superposition of such 
attacks. Suppose, for example, that in the entanglement- 
based protocol, Fred's attack on the pairs and the coins 
produces a state 



(53) 



S:|S|<nA 



here the sum is over subsets S that contain no more than 
nA of the n pairs, and I'I's) is the state resulting from 
tagging the pairs in the set S. Although Theorem 6 does 
not apply to a general superposition of tagged states as 
in eq. (53), Theorem 2 does apply to this case. After we 
trace out Fred's labeling qutrits, the state of the coin can 
be realized as an ensemble of states, where for each state 
in the ensemble at least n(l — A) of the coins are X = 1 
eigenstates and the rest are mixtures of Z eigenstates. 
Therefore, if the coins are all measured in the X basis, 
with high probability the number of coins for which the 
outcome X = — 1 is found will be less than n(A/2 + e). 
Thus the attack is (A/2 + e)-balanced for any positive 
e and sufficiently large n, and it follows from Theorem 
2 that secure key can be generated at the corresponding 
rate (a lower rate than found in Theorem 6). 

In particular, then. Theorem 2 can be applied to a gen- 
eral source that emits signals that are sufficiently close 
to perfect single photon pulses, even if the multiphotons 
occur with nonrandom phases. Unfortunately, though, 
our arguments do not allow us to address the case where 
the source emits weak coherent states with nonrandom 
phases — in that case the states are dominated by the 
amplitude to emit the vacuum state, and the tagging 
model we have analyzed here does not apply. This diffi- 
culty seems to be more than a mere shortcoming of our 
model; the deeper problem is that weak coherent states 
with nonrandom phases leak a significant amount of basis 
information, which may compromise security. 

As for all of the cases that we consider in this paper, 
the crux of our analysis of tagging is a bound on the 
phase error rate Sp of the key generating pairs that holds 
with high probability — it does not suffice for 6p to be 
bounded after averaging over Fred's strategy. Therefore, 
our security proof need not apply for a highly correlated 
basis-dependent attack on the signals, even if the bit error 
rate 5 and phase error rate 5p resulting from the attack 
have mean values that are nearly equal. ^ 

For example, suppose that with a small probability r, 
Fred tells Eve the basis for every signal, while with prob- 
ability 1 — r, Fred tells Eve nothing. Then on average 
the disparity between the bit error rate and the phase 



error rate is small. However, with a fixed probability r 
that does not depend on the key length. Eve can learn 
the whole key. Therefore, the quantum key distribution 
protocol is insecure for a source of this type. 



XIII. TROJAN PONY 

Suppose that the detector is not perfectly efficient. A 
fraction A of the signals that enter the detector fail to 
trigger it, resulting in no recorded outcome. Suppose fur- 
ther that Fred, who knows Bob's basis, controls whether 
the detector fires or not, subject to the constraint that 
only a fraction A of the detection events can be elimi- 
nated. Note that the parameter A can be measured in 
the protocol. 

Fred can use his power to disguise Eve's attack, en- 
hancing the detection rate when Bob measures in the 
same basis as Eve did and suppressing the detection rate 
when Bob measures in a different basis than Eve's. This 
is a limited version of the "Trojan horse" attack [28] — 
we call it the "Trojan pony." As we remarked in Sec. V, 
one version of the Trojan pony attack can be launched 
if Bob's detector is configured as a polarization beam 
splitter that directs the signals to a pair of threshold 
detectors; Eve can ensure that the detector fails to regis- 
ter a conclusive result by flooding it with many photons. 
We will analyze this attack in a different setting, in which 
Bob's detector receives qubits rather than bosonic modes. 

In the EDP setting, we allow Fred to eliminate a frac- 
tion A of the pairs (corresponding to the qubits for which 
he "turns off" Bob's detector). In the worst case, every 
pair that he eliminates has a bit error and no phase error. 
Before any pairs were eliminated, the error rate was es- 
sentially the same in both bases — call this rate p. After 
eliminating the undetected pairs, the error rates are 



A 



P 



1- A 



1- A 



(54) 



(assuming A < p < 1 — A). Note that, for ease of presen- 
tation, we have not included the e's in eq. (54); instead 
we have used the symbol w to indicate relations that are 
satisfied to arbitrarily good accuracy with high probabil- 
ity asymptotically. Eliminating p we find 



(55) 



1 



and, since the error rate 5 measured in the test provides 
a reliable estimate of 6, we infer that final key can be 
generated from sifted key at the achievable rate 



(56) 



R = l-H2{6)-H2 [6 



^We thank Dominic Mayers for a helpful discussion of this point. 
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where we have assumed that 



R=1-2H2 ((1 - A)^ + A/2) . (59) 



We can use similar reasoning if the detector efRciency is 
low, but we trust that most of the instances where the de- 
tector fails to fire are chosen at random, and only a small 
percentage of all the detector failures are due to Fred's 
intervention. In the absence of other imperfections, ran- 
dom misfires merely reduce the number of sifted key bits, 
but without breaking the symmetry between the bases. 
Eq. (56) still applies if a fraction / of detection events 
are removed by random errors, and a fraction A of the 
remaining events are removed adversarially, resulting in 
an overall efRciency jj = (1 — /)(1 — A). Thus we have 
proved 

Theorem 7. Security of BB84 against basis- 
dependent detector efficiency. Suppose that of the 
signals that arrive at Bob's detector, a fraction f cho- 
sen a,t random, are removed, and of those thai rem,ain 
a fraction A chosen adversarially by Fred are also re- 
moved, so that the overall efficiency of the detector is 
77 = (1 — /)(! — A). Then the BB84 protocol is secure, 
and secure final key can be extracted from the (detected) 
sifted key at the asymptotic rate 

i? = Max^l-i?2((5)--ff2 (^^ + Y3^) >o) (58) 

where 6 is the bit error rate found in the verification test 
(assuming 6 + A/(l - A) < 1/2). 

Note that we can measure the efficiency 77 in the proto- 
col, but can determine A only by acquiring a good un- 
derstanding of the vulnerability of the detector to tam- 
pering. In fact, in current implementations the typical 
efficiency for detection of single photons at telecommu- 
nication wavelengths is about 15% [33]. Theorem 7 can 
also be applied to the case where basis-dependent losses 
occur in the quantum channel connecting Alice and Bob, 
with A parametrizing the basis dependence. 

ILM [8,27] discussed the specific type of Trojan pony 
attack in which Eve floods Bob's polarization beam split- 
ter with many photons of the same polarization, generat- 
ing a "double click" in Bob's two photon detectors when 
he tries to measure the polarization in the conjugate ba- 
sis. For this case they proposed that Bob choose his 
key bit randomly each time he encounters a double click 
event. Security of this scheme is ensured by the result of 
Mayers [2]: the POVM that assigns a random outcome 
to the "double-click" subspace is a possible measurement 
that Fred could arrange, and Mayers proved security for 
an arbitrary detector POVM. If double clicks occur a 
fraction A of the time, and the bit error rate is 6 when 
single clicks occur, then the overall error rate under the 
ILM prescription will be (1 — A)(5-|-A/2, resulting in a 
key generation rate 



The rate is further enhanced by the factor (1 — A)"-'^ 
relative to Eq. (56), since all detection events, including 
the double clicks, contribute to the sifted key. Thus the 
achievable rate established by ILM exceeds the rate we 
have derived, except for relatively large A and relatively 
small 6. However, the two results cannot be compared 
directly, because they apply to two different models of 
the adversary. The ILM result Eq. (59) applies to a par- 
ticular Trojan pony attack that can be launched by Eve 
if the Bob/Fred POVM has suitable properties; it pro- 
vides a condition for Eve (but not Fred) to have negli- 
gible information about the key. Eq. (56) is the rate at 
which key can be extracted under a Trojan pony attack 
in which Fred receives qubits, and can prevent some of 
the qubits from registering in Bob's detector. But in this 
case the key is kept secret not just from Eve but from 
the Eve/Fred alliance. 

A different type of issue relating to detector efficiency 
arises if the detector failures occur at different rates when 
measuring in the X and Z bases, but are otherwise ran- 
domly distributed. The bias in the detector efficiency 
breaks the symmetry between the bases, but a simple 
variant of the Shor-Preskill argument still applies. In 
the entanglement distillation picture, we may imagine 
that Alice and Bob at first share many noisy pairs; fur- 
thermore, after a random permutation unknown to the 
adversary is applied, the pairs are symmetrized so that 
all have the same marginal density operator. Then some 
of the pairs are removed from the sample by a random 
process. Though the probability of removal may depend 
on the basis used to generate the key bit, Alice and Bob 
can still infer the phase error rate from the bit error rate 
if they conduct a refined data analysis [25], measuring 
separate error rates dx and 6z for the X and Z bases 
respectively. If a fraction px of the sifted key bits are 
generated in the X basis and a fraction pz in the Z ba- 
sis (where px + Pz = 1), so that the bit error rate is 
S = px^x + Pz^z, then the phase error rate to insert in 
Eq. (4) becomes 6p = pxSz + PzSx- 



XIV. CONCLUSIONS 

We have shown that the BB84 quantum key distribu- 
tion protocol is secure when the source and/or detector 
are subject to small errors that are controlled by an ad- 
versary who knows the basis used by Alice and Bob. We 
have formulated a method for estimating the key genera- 
tion rate in the presence of such errors, and we have ap- 
plied the method to various model sources and detectors. 
Our results are complementary to earlier proofs of secu- 
rity [2,6] that apply to flaws in the apparatus that may 
be large but are nonadversarial; furthermore, our results 
unlike those of [2,6] apply when both the source and the 
detector have small basis-dependent flaws, as will be the 
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case in typical real-world implementations of quantum 
key distribution. We have argued that the security holes 
of real sources and detectors can be usefully investigated 
within our framework, and we expect that the methods 
we have developed will find further applications. 

However, the model sources and detectors to which 
our analysis applies are not completely general. In our 
model of the source, each signal is launched by prepar- 
ing an entangled state of a qubit and a general system, 
followed by an ideal measurement of the qubit. To estab- 
lish security, we require that the entangled state depend 
only weakly on the basis used in the protocol. With 
this model, we are unable to treat, for example, the case 
where the source emits weak coherent states with non- 
random phases. Likewise, we model the detector as a 
quantum channel followed by an ideal measurement of 
a qubit, and to establish security we require that the 
quantum channel depend only weakly on the basis. In 
particular, we are unable to treat the case where the sig- 
nals received by the detector reside in a Hilbert space of 
arbitrarily high dimension. 

Various other issues regarding the security of BB84 and 
other quantum key distribution protocols have not been 
addressed here. We have not considered how to charac- 
terize devices reliably using testing equipment that is it- 
self untrustworthy (as in [7]). We have not discussed how 
to improve the rate of key generation beyond the rate in 
Eq. (4) through privac;y amplification schemes that use 
two-way communication between Alice and Bob [15]. Fi- 
nally, our security analysis applies to the asymptotic limit 
of an infinite key — we have not analyzed the practical 
aspects of error correction and privacy amplification in 
the case of finite key length. 



Lemma 4. Similar channels have similar dila- 
tions. Suppose that £q and £i are quantum channels 
mapping a d-dimensional system, S to a d' -dimensional 
system T, such that \\ So — £i \\o< £■ Then there are 
dilations Uq and U\ of the channels (isometric embed- 
dinqs of S in TE, where E is dd' -dimensional) such that 

II Uo - c/i L'up< d£. 

It is convenient to characterize a quantum channel £ 
mapping system S to system T by considering the action 

of 7(8)5 on a reference system R and the system S, where 
dim R = dim S = d. Let 



(60) 



denote an unconventionally normalized maximally entan- 
gled pure state on RS, satisfying (3>|$) = d. We may 
define 



p = /05(|$)($|) 



(61) 



where p is an unconventionally normalized density oper- 
ator on i?T, satisfying tv p = d. The action of 5 on a 
pure state \lp) = ai\i) on S can then be expressed as 



£{\<P){<P\)={<P*\P\^*) 



(62) 



where \(p*) = X^i'^iK) ^^"^ "index state" on R corre- 
sponding to \(p). If we introduce an additional system E 
(the "environment," of dimension dd'), we can construct 
a purification |l>') of p on RTE such that ($'|$') = d. 
This purification defines a "dilation" U of the channel £ 
that realizes £ as an isometric embedding of S in TE. 
The action of the dilation on the pure state \(p) is 
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1^) ^ U\ip) = {ip*\^') 



(63) 



Now suppose that £o and £i are two channels acting 
on S, satisfying the inequality 



11^0 - ^i||o < £ 



(64) 



and that po and pi are the corresponding states obtained 
from the action oi I^£o and I®£\ on |$). The diamond 
norm [31] is defined by 



ll^llo = sup 



||/^g(^)||tr 



(65) 



since (<I>|<I>) = rf, it follows that the trace distance be- 
tween Po and pi satisfies 



Po - Pi lltr < de . 



(66) 



APPENDIX A. SIMILAR CHANNELS HAVE 
SIMILAR DILATIONS 

Here we will prove: 



Since, for conventionally normalized density operators, 
the fidelity and trace distance are related by 



^/F{po,p^) > 1 - ^ II Po - Pi ||tr 



(67) 



20 



it follows [29,30] that po and pi have purifications |$q) 
and on RSE with norm \/d and overlap satisfying 

Re{^',m>d{l-'-) . (68) 

This large overlap of the purifications |$q) and 
implies that the corresponding dilations Uq and Ui of 
the channels are close to one another in the sup norm. 
Given any \ip) on S, we may regard it as one element of 
a basis {|<^i)} for S. Then eq. (68) may be rewritten as 

d 

Re Y.^'PiPlUoWi) 

d 

= Re Y.^^'M)mK) > ^ (l - I) • (69) 

But each of the d terms in the sum is no larger than 1, 
and since the sum is greater than d — de/2, each term 
must be greater than d — de/2 — (cZ — 1) = 1 — de/2. We 
conclude, then, that for any pure state \ip) on S, 

Re (^|C/t;7o|^) > 1-y . (70) 

Therefore, for any \ip) 

\\{Uo-Ui)\^)f<de, (71) 

and hence 

II Uo - Ui \\lp< de . (72) 
This proves Lemma 4. 



[1] C. H. Bennett and G. Bicissard, "Quantum cryptography: 
Public key distribution and coin tossing," in Proceed- 
ings of IEEE International Conference on Computers, 
Systems and Signal Processing, Bangalore, India (IEEE, 
New York, 1984), pp. 175 179. 

[2] D. Mayers, "Quantum key distribution and string 
oblivious transfer in noisy channels," in Advances 
in Cryptography — Proceedings of Crypto '96 (Springer- 
Verlag, Now York, 1996), pp. 343-357; "Unconditional se- 
curity in quantum cryptography," J. Assoc. Comp. Mach. 
48, 351 (2001), arXiv:quant-ph/9802025. 

[3] H.-K. Lo and H. F. Chau, "Unconditional security 
of quantum key distribution over arbitrarily long dis- 
tances," Science 283, 2050-2056 (1999), arXiv:quant- 
ph/9803006. 

[4] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. Roy- 
chowdhury, "A proof of the security of quantum key dis- 
tribution," in Proceedings of the 32nd Annual ACM Sym- 
posium on Theory of Computing (ACM Press, New York, 
2000), pp. 715-724, arXiv:quant-ph/9912053. 



[5] P. W. Shor and J. Prcskill, "Simple proof of secu- 
rity of the BB84 quantum key distribution protocol," 
Phys. Rev. Lett. 85, 441-444 (2000), arXiv:quant- 
ph/0003004. 

[6] M. Koashi and J. Preskill, "Secure quantum key distri- 
bution with an uncharactcrizcd source," Phys. Rev. Lett. 
90, 057902 (2003), arXiv:quant-ph/0208155 (2002). 

[7] D. Mayers and A. Yao, "Quantum cryptography with im- 
perfect apparatus," arXiv:quant-ph/9809039 (1998); D. 
Mayers and A. Yao, "Self testing quantum apparatus," 
arXiv:quant-ph/0307205. 

[8] H. Inamori, N. Liitkenhaus and D. Mayers, "Uncondi- 
tional security of practical quantum key distribution," 
arXiv:quant-ph/0107017 (2001). 

[9] B. A. Slutsky, R. Rao, P.-C. Sun, and Y. Fainman, "Se- 
curity of quantum cryptography against individual at- 
tacks," Phys. Rev. A 57, 2383-2398 (1998). 
[10] N. Liitkenhaus, "Security against individual attacks for 
realistic quantum key distribution," Phys. Rev. A 61, 
052304 (2000), arXiv:quant-ph/9910093. 
[11] G. Brassard, N. Liitkouhaus, T. Mor, aud B. C. Sanders, 
"Security aspects of practical quantum cryptography," 
Phys. Rev. Lett. 85, 1330-1333 (2000), arXiv:quant- 
ph/9911054. 

[12] S. Felix, N. Gisin, A. Stcfanov, H. Zbinden, "Faint 
laser quantum key distribution: Eavesdropping exploit- 
ing multiphoton pulses," J. Mod. Opt. 48, 2009 (2001), 
arXiv:quant-ph/0102062. 

[13] G. Gilbert and M. Hamrick, "Practical quantum 
cryptography: a comprehensive analysis (part one)," 
arXiv:quant-ph/0009027 (2000). 

[14] G. Gilbert and M. Hamrick, "Secrecy, computational 
loads and rates in practical quantum cryptography," Al- 
gorithmica 34, 314-339 (2002), arXiv:quant-ph/0106043 
(2001). 

[15] D. Gottesman and H.-K. Lo, "Proof of security of quan- 
tum key distribution with two-way classical communica- 
tions," IEEE Trans. Information Theory 49, 457 (2003), 
arXiv:quant-ph/0105121 (2001). 

[16] M. Ben-Or, "Simple security proof for quantum 
key distribution," online presentation available at 
http: / /www. msri.org/publications/ln/msri/2002/qip/ben- 
or/l/indcx.html (2002). 

[17] C. H. Bennett, G. Brassard, S. Popcscu, B. Schumacher, 
J. A. Smolin, and W. K. Wootters, "Purification of noisy 
entanglement and faithful teleportation via noisy chan- 
nels," Phys. Rev. Lett. 76, 722-725 (1996), arXiv:quant- 
ph/9511027. Erratum: Phys. Rev. Lett. 78, 2031 (1997). 

[18] D. Deutsch, A. Ekert, R. Jozsa, C. Macchiavello, S. 
Popescu, and A. Sanpera, "Quantum privacy amplifi- 
cation and the security of quantum cryptography over 
noisy channels," Phys. Rev. Lett. 77, 2818-2821 (1996), 
arXiv.org:quant-ph/9604039. Erratum: Phys. Rev. Lett. 
80, 2022 (1998). 

[19] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin and W. K. 
Wootters, "Mixed state entanglement and quantum er- 
ror correction," Phys. Rev. A 54, 3824-3851 (1996), 
arXiv:quant-ph/9604024. 

[20] A. R. Calderbank and P. W. Shor, "Good quantum er- 
ror correcting codes exist," Phys. Rev. A 54, 1098-1105 



21 



(1996), arXiv:quant-ph/9512032. 

[21] A. M. Steano, "Multiple particle interference and quan- 
tum error correction," Proc. Roy. See. Lend. A 452, 
2551-2577 (1996), arXiv:quant-ph/9601029. 

[22] D. Gottesman and J. Preskill, "Secure quantum key 
distribution using squeezed states," Phys. Rev. A 63, 
022309 (2001), arXiv:quant-ph/0008046. 

[23] M. Hamada, "Reliability of Calderbank-Shor-Steane 
codes and the security of quantum key distribution," 
arXiv:quant-pli/0311003 (2003). 

[24] D. A. Spielman, "Linear-time cncodablc and dccodable 
error- correcting codes, IEEE Trans. Information Theory 
42, 1723-1731 (1996). 

[25] H.-K. Lo, H. F. Chau, and M. ArdehaU, "Efficient quan- 
tum key distribution scheme and proof of its uncondi- 
tional security," arXiv:quant-ph/0011056 (2000). 

[26] D. Gottesman and I. L. Chuang, "Quantum digital sig- 
natures," arXiv:quant-ph/0205032 (2001). 

[27] N. Liitkenhaus, "Estimates for practical quantum 
cryptography," Phys. Rev. A 59 3301-3319 (1999), 



arXiv:quant-ph/9806008. 

[28] H.-K. Lo, "Proof of unconditional security of six-state 
quantum key distribution scheme," Quant. Info. Comp. 
1, 81-94 (2001), arXiv:quant-ph/0102138. 

[29] A. Uhlmann, "The 'transition probability' in the state 
space of a '-algebra," Reports on Mathematical Physics 
9, 273-279 (1976). 

[30] R. Jozsa, "Fidelity for mixed quantum states," J. Mod. 
Opt. 41, 2315-2323 (1994). 

[31] D. Aharonov, A, Kitaev, and N. Nisan, "Quantum cir- 
cuits with mixed states," in Proceedings of the Thir- 
tieth Annual ACM Symposium on Theory of Comput- 
ing (STOC) (ACM Press, New York, 1998), pp. 20-30, 
arXiv:quant-ph/9806029. 

[32] S. J. van Enk and C. A. Fuchs, "The quantum state 
of a laser field," Quant. Info. Comp. 2, 151-165 (2002), 
arXiv:quant-ph/01 1 1 157. 

[33] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, "Quan- 
tum cryptography," Rev. Mod. Phys. 74, 145-195 (2002) 
arXiv:quant-ph/0101098 



22 



